CVE-2025-11722 is a Local File Inclusion vulnerability classified under CWE-98, found in the ikhodal Woocommerce Category and Products Accordion Panel plugin for WordPress. This vulnerability exists in all versions up to and including 1.0 and is triggered via the 'categoryaccordionpanel' shortcode. The flaw allows authenticated attackers with at least Contributor-level permissions to manipulate the filename parameter used in PHP include or require statements improperly. By exploiting this, attackers can include arbitrary PHP files from the server, leading to remote code execution. This can be leveraged to bypass access controls, extract sensitive information, or execute malicious code on the hosting server. The vulnerability does not require user interaction beyond authentication, but the attacker must have an account with Contributor or higher privileges, which are commonly granted to users who can upload content or files. The CVSS v3.1 score is 7.5, reflecting high impact on confidentiality, integrity, and availability, with network attack vector, high attack complexity, and low privileges required. No patches or fixes are currently published, and no known exploits have been reported in the wild as of the publication date. The vulnerability poses a significant risk to WordPress sites using this plugin, especially those that allow multiple contributors or have weak user management policies.

For European organizations, this vulnerability could lead to severe consequences including unauthorized access to sensitive customer data, theft of intellectual property, and full compromise of the web server hosting the affected WordPress site. E-commerce platforms relying on the Woocommerce Category and Products Accordion Panel plugin may face disruption of services, reputational damage, and financial losses due to data breaches or defacement. The ability for attackers to execute arbitrary PHP code means they could implant backdoors, pivot to internal networks, or disrupt business operations. Since Contributor-level access is sufficient for exploitation, organizations with multiple content editors or contributors are at elevated risk. The impact is particularly critical for sectors such as retail, finance, and healthcare, where data confidentiality and service availability are paramount. Additionally, compliance with GDPR and other data protection regulations could be jeopardized if personal data is exposed or compromised.

Immediate mitigation steps include auditing and restricting user roles to minimize the number of users with Contributor-level or higher access. Organizations should enforce strict file upload policies, ensuring that only safe file types are allowed and scanning uploads for malicious content. Monitoring and logging of shortcode usage and file inclusion attempts can help detect exploitation attempts early. Until an official patch is released, consider disabling or removing the vulnerable plugin entirely if it is not critical to operations. If the plugin is essential, isolate the WordPress environment using web application firewalls (WAFs) with rules to detect and block suspicious include requests. Regularly update WordPress core and all plugins to their latest versions and subscribe to vulnerability advisories for timely patching. Conduct penetration testing focused on file inclusion vulnerabilities and review user permissions periodically. Implementing multi-factor authentication (MFA) for all users can also reduce the risk of compromised credentials being used to exploit this vulnerability.