CVE-2025-11722 is a Local File Inclusion vulnerability classified under CWE-98, affecting the ikhodal Woocommerce Category and Products Accordion Panel WordPress plugin in all versions up to 1.0. The vulnerability exists due to improper validation and control of filenames used in PHP include or require statements within the 'categoryaccordionpanel' shortcode functionality. Authenticated attackers with at least Contributor-level privileges can exploit this flaw by manipulating the shortcode parameters to include arbitrary PHP files stored on the server. This leads to arbitrary code execution under the web server's privileges, enabling attackers to bypass access controls, execute malicious PHP code, and potentially gain full control over the affected WordPress site. The vulnerability does not require user interaction beyond authentication but does require a low level of privilege, making it particularly dangerous in multi-user WordPress environments. The CVSS v3.1 score of 7.5 reflects a high severity due to network attack vector, low privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No patches or official fixes are currently available, and no known exploits have been observed in the wild. The vulnerability is critical for sites that allow uploading PHP files or have weak file upload restrictions, as these files can be included and executed by the attacker.

The impact of CVE-2025-11722 is significant for organizations running WordPress sites with the vulnerable plugin. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary PHP code on the server. This can result in full site compromise, including defacement, data theft, privilege escalation, and pivoting to internal networks. Confidential information such as user data, credentials, and business-critical information can be exposed or altered. The integrity of the website content and backend systems can be compromised, and availability may be affected if attackers deploy ransomware or destructive payloads. Since the vulnerability requires only Contributor-level access, attackers can leverage compromised or weak user accounts to escalate attacks. This threat is particularly concerning for e-commerce sites using Woocommerce, as it can lead to theft of payment information and customer data, damaging reputation and causing financial loss. The lack of public exploits currently reduces immediate risk but does not diminish the urgency of mitigation due to the ease of exploitation once an attacker gains authenticated access.

To mitigate CVE-2025-11722, organizations should immediately restrict Contributor-level users from uploading or including PHP files by enforcing strict file upload policies and disabling PHP execution in upload directories. Implement input validation and sanitization on all shortcode parameters, especially those controlling file inclusion. Monitor and audit user activities for suspicious shortcode usage. Until an official patch is released, consider disabling or removing the vulnerable plugin from WordPress installations. Employ Web Application Firewalls (WAFs) with rules to detect and block attempts to exploit file inclusion vulnerabilities. Regularly update WordPress core, plugins, and themes to minimize attack surface. Use the principle of least privilege for user roles, limiting Contributor access where possible. Conduct security assessments and penetration testing focused on file inclusion and code execution vulnerabilities. Finally, maintain regular backups and have an incident response plan ready in case of compromise.