CVE-2025-11704 is a Local File Inclusion vulnerability classified under CWE-98, affecting the Elegance Menu plugin for WordPress developed by impacttechlab. The vulnerability exists in all versions up to and including 1.9 and is triggered through the 'elegance-menu' attribute of the 'elegance-menu' shortcode. Authenticated users with Contributor-level access or higher can manipulate this attribute to include arbitrary PHP files from the server, leading to remote code execution. This occurs because the plugin improperly controls the filename used in include/require statements, failing to validate or sanitize input properly. Exploiting this vulnerability allows attackers to execute arbitrary PHP code, bypass access controls, and potentially access or modify sensitive data stored on the server. The attack vector is network-based, requiring authentication but no additional user interaction. The CVSS v3.1 score of 7.5 indicates high severity, with attack complexity rated high due to the need for authenticated access but with significant impacts on confidentiality, integrity, and availability. No patches or fixes are currently published, and no known exploits have been observed in the wild. The vulnerability poses a serious risk to WordPress sites using this plugin, especially those with multiple contributors or less restrictive user role management.

For European organizations, this vulnerability presents a significant threat to WordPress-based websites that utilize the Elegance Menu plugin. Successful exploitation can lead to full server compromise, allowing attackers to execute arbitrary PHP code, access sensitive data, and bypass existing access controls. This can result in data breaches, defacement, or use of compromised servers as pivot points for further attacks within the network. Organizations relying on Contributor-level user roles for content management are particularly vulnerable, as these roles are sufficient to exploit the flaw. The impact extends to the availability of web services if attackers deploy malicious scripts or ransomware. Given the widespread use of WordPress across Europe, especially in SMEs and public sector websites, the vulnerability could disrupt business operations, damage reputations, and lead to regulatory non-compliance under GDPR if personal data is exposed.

1. Immediately restrict Contributor-level user permissions to prevent untrusted users from uploading or including arbitrary files. 2. Implement strict file upload controls and scanning to prevent uploading of malicious PHP files. 3. Monitor and audit usage of the 'elegance-menu' shortcode and related attributes for suspicious activity. 4. Apply web application firewall (WAF) rules to detect and block attempts to exploit this LFI vulnerability. 5. Disable or remove the Elegance Menu plugin if not essential until a patch is released. 6. Follow impacttechlab and WordPress security advisories closely for updates or patches and apply them promptly. 7. Conduct regular security assessments and penetration testing focusing on plugin vulnerabilities and user role configurations. 8. Educate content contributors about the risks of uploading executable files and enforce strict content policies.