The Age Gate plugin for WordPress is vulnerable to Local PHP File Inclusion in all versions up to, and including, 3.5.3 via the ‘lang’ parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files on the server, allowing the execution of code in those files.

OEM	WordPress
Severity	Critical
CVSS score	9.8
CVEs	CVE-2025-2505
Exploited in Wild	No
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview 

A critical vulnerability (CVE-2025-2505) in the Age Gate plugin for WordPress allows unauthenticated Local PHP File Inclusion (LFI), potentially enabling remote code execution. This flaw affects all versions up to 3.5.3 and has been patched in version 3.5.4. Over 40,000 websites are affected by this vulnerability. 

This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
Improper Limitation of a Pathname to a Restricted Directory	CVE-2025-2505	Age Gate WordPress Plugin	Critical	v3.5.4

Technical Summary 

The vulnerability exists due to improper limitation of pathname input, leading to an unauthenticated Local PHP File Inclusion (LFI) attack through the lang parameter. This flaw can be exploited by attackers to execute arbitrary PHP files, bypass access controls, and compromise server security. 

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-2505	WordPress websites using Age Gate Plugin (<=3.5.3)	Local PHP File Inclusion via ‘lang’ parameter allows execution of arbitrary PHP files.	Unauthorized code execution, data exfiltration, privilege escalation, potential full server compromise.

Remediation: 

• Update Age Gate plugin to version 3.5.4 or later as soon as possible. 

Conclusion: 

Attackers can potentially: – Include and execute arbitrary PHP files on the server – Bypass access controls – Obtain sensitive site data – Achieve remote code execution – Compromise the entire WordPress site’s integrity and availability

This vulnerability poses a severe risk to WordPress websites utilizing the Age Gate plugin. Prompt patching and proactive security measures are crucial to mitigating potential attacks.

Users are strongly advised to update to the latest version without delay to protect their websites from unauthorized code execution. 

CVE-2025-2505 affects all versions of the Age Gate plugin for WordPress up to and including version 3.5.3.

References: 

• https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/age-gate/age-gate-353-unauthenticated-local-php-file-inclusion-via-lang 

• https://wordpress.org/plugins/age-gate/ 

• https://securityonline.info/critical-wordpress-plugin-vulnerability-exposes-over-40000-websites-to-code-execution-attacks/