wordpress

Security Advisory

WordPress Age Gate Plugin Critical Vulnerability (CVE-2025-2505) Affects Over 40,000 Websites 

The Age Gate plugin for WordPress is vulnerable to Local PHP File Inclusion in all versions up to, and including, 3.5.3 via the ‘lang’ parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files on the server, allowing the execution of code in those files.

OEM WordPress 
Severity Critical 
CVSS score 9.8 
CVEs CVE-2025-2505 
Exploited in Wild No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

A critical vulnerability (CVE-2025-2505) in the Age Gate plugin for WordPress allows unauthenticated Local PHP File Inclusion (LFI), potentially enabling remote code execution. This flaw affects all versions up to 3.5.3 and has been patched in version 3.5.4. Over 40,000 websites are affected by this vulnerability. 

This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
 Improper Limitation of a Pathname to a Restricted Directory  CVE-2025-2505  Age Gate WordPress Plugin  Critical  v3.5.4  

Technical Summary 

The vulnerability exists due to improper limitation of pathname input, leading to an unauthenticated Local PHP File Inclusion (LFI) attack through the lang parameter. This flaw can be exploited by attackers to execute arbitrary PHP files, bypass access controls, and compromise server security. 

CVE ID System Affected Vulnerability Details Impact 
 CVE-2025-2505  WordPress websites using Age Gate Plugin (<=3.5.3)  Local PHP File Inclusion via ‘lang’ parameter allows execution of arbitrary PHP files.  Unauthorized code execution, data exfiltration, privilege escalation, potential full server compromise. 

Remediation

  • Update Age Gate plugin to version 3.5.4 or later as soon as possible. 

Conclusion: 

Attackers can potentially: – Include and execute arbitrary PHP files on the server – Bypass access controls – Obtain sensitive site data – Achieve remote code execution – Compromise the entire WordPress site’s integrity and availability

This vulnerability poses a severe risk to WordPress websites utilizing the Age Gate plugin. Prompt patching and proactive security measures are crucial to mitigating potential attacks.

Users are strongly advised to update to the latest version without delay to protect their websites from unauthorized code execution. 

CVE-2025-2505 affects all versions of the Age Gate plugin for WordPress up to and including version 3.5.3.

References: 

Security Advisory

Critical WordPress Security Flaw in Everest Forms Plugin 

UAE Cyber Security Council has observed a critical vulnerability in Everest Forms WordPress
plugin

Continue Reading
Security Advisory

Privilege Escalation Vulnerability in ComboBlocks Plugin Affects Thousands of Sites

A critical vulnerability in the ComboBlocks WordPress plugin (formerly Post Grid and Gutenberg Blocks) exposes over 40,000 websites to potential complete takeover by unauthenticated attackers. This vulnerability exists due to improper handling of user meta during the registration process, enabling privilege escalation. It affects versions 2.2.85 to 2.3.3 and has been addressed in version 2.3.4.

OEM

WordPress

Severity

Critical

Date of Announcement

2025-01-17

CVSS score

9.8

CVE

CVE-2024-9636

Exploited in Wild

No

Patch/Remediation Available

Yes 

Advisory Version

1.0

Overview

ComboBlocks, a plugin designed to enhance website design and functionality, was found to have a critical security flaw (CVE-2024-9636) that could allow unauthenticated attackers to register as administrators, granting them full control over the affected websites.

Vulnerability Name

CVE ID

Product Affected

Severity

CVSS Score

Unauthenticated Privilege Escalation
Vulnerability

 CVE-2024-9636

ComboBlocks WordPress Plugin

Critical

9.8

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-9636

ComboBlocks plugin (2.2.85 - 2.3.3)

The vulnerability stems from improper restriction of user meta updates during profile registration. This flaw allows unauthenticated attackers to register as administrators, granting them full control over the website.


Complete website takeover and malware injection.

Remediations

  1. Update Plugin: Immediately update the ComboBlocks plugin to version 2.3.4 or later.
  2. Review Administrative Accounts:
  • Audit all user accounts with administrative privileges.
  • Revoke any unauthorized access.
  1. Enhance Security Posture:
  • Enable multi-factor authentication (MFA) for all admin accounts.
  • Restrict user permissions based on the principle of least privilege.
  • Use a web application firewall (WAF) to filter and block malicious traffic.
  1. Monitor and Log Activity:
  • Activate detailed logging for user registration and privilege changes.
  • Configure alerts for unusual activity, such as mass registrations or privilege escalations.
  1. Implement Preventative Measures:
  • Regularly update all plugins and themes.
  • Backup the WordPress site frequently to ensure quick recovery in case of any compromise.

References

Scroll to top