CVE-2025-11746 is a path traversal vulnerability categorized under CWE-22, found in the 8theme XStore WordPress theme, versions up to and including 9.5.4. The vulnerability resides in the theet_ajax_required_plugins_popup() function, which improperly restricts pathname inputs, allowing an authenticated attacker with Subscriber-level privileges or higher to perform Local File Inclusion (LFI). This flaw enables the attacker to include arbitrary .php files from the server, leading to execution of arbitrary PHP code. Since WordPress roles such as Subscriber are often assigned to low-privilege users, this significantly lowers the bar for exploitation. The attacker can upload malicious PHP files (if upload functionality exists) and then include them via the vulnerable function, bypassing normal access controls. The vulnerability is remotely exploitable over the network without user interaction beyond authentication. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction required. No official patches or exploit code are currently publicly available, but the vulnerability is published and known to security researchers. The flaw can lead to full server compromise, data leakage, and persistent backdoors if exploited.

For European organizations, this vulnerability poses a significant risk, especially for those relying on WordPress sites with the XStore theme for e-commerce, corporate, or informational purposes. Exploitation can lead to unauthorized access to sensitive customer data, intellectual property, and internal systems. The ability to execute arbitrary PHP code can result in complete server takeover, enabling attackers to deploy ransomware, steal data, or pivot within the network. Given the widespread use of WordPress in Europe and the popularity of XStore among e-commerce sites, the potential impact includes financial loss, reputational damage, and regulatory penalties under GDPR for data breaches. Organizations with less mature patch management or those allowing subscriber-level registrations on public-facing sites are particularly vulnerable. The vulnerability could also be leveraged in supply chain attacks if attackers compromise theme installations used by multiple clients.

Immediate mitigation involves updating the XStore theme to a patched version once released by 8theme. Until a patch is available, organizations should restrict subscriber-level user capabilities, disabling file upload functionalities if possible, and limit access to the vulnerable AJAX function via web application firewall (WAF) rules or custom code to validate and sanitize input parameters rigorously. Monitoring web server and application logs for unusual file inclusion attempts or unexpected PHP file uploads is critical. Employing runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions can help detect exploitation attempts. Additionally, organizations should review user roles and permissions to minimize the number of users with subscriber or higher privileges. Network segmentation and limiting public exposure of WordPress admin interfaces can reduce attack surface. Regular backups and incident response plans should be prepared in case of compromise.