The Player Leaderboard plugin for WordPress, developed by tharkun69, suffers from a critical path traversal vulnerability identified as CVE-2025-12824. This vulnerability is due to improper limitation of a pathname to a restricted directory (CWE-22) in all versions up to and including 1.0.2. Specifically, the plugin uses the 'mode' attribute from the 'player_leaderboard' shortcode without proper sanitization or validation before passing it to a PHP include() function. Because include() executes PHP code from the specified file, an attacker with Contributor-level or higher privileges can manipulate the 'mode' parameter to include arbitrary files on the server. This Local File Inclusion (LFI) can lead to execution of arbitrary PHP code if the attacker can upload malicious files or leverage existing files containing executable code. The vulnerability does not require user interaction beyond authentication, and the attack vector is network-based with low complexity. The CVSS 3.1 score is 8.8 (high), reflecting the ease of exploitation and the significant impact on confidentiality, integrity, and availability. Although no known exploits are currently in the wild, the flaw poses a serious risk to WordPress sites using this plugin. The vulnerability allows attackers to bypass access controls, read sensitive files, and potentially achieve full remote code execution, which could lead to complete server compromise.

The impact of CVE-2025-12824 is substantial for organizations running WordPress sites with the vulnerable Player Leaderboard plugin. Attackers with Contributor-level access can exploit this flaw to execute arbitrary PHP code, potentially leading to full remote code execution. This compromises the confidentiality of sensitive data stored on the server, including user information and configuration files. Integrity is at risk as attackers can modify files or inject malicious code, while availability may be disrupted through server manipulation or denial-of-service conditions. The vulnerability also enables bypassing of access controls, allowing privilege escalation and lateral movement within the affected environment. Organizations relying on this plugin for community engagement or gamification features face increased risk of website defacement, data breaches, and persistent backdoors. Given WordPress’s widespread use, the threat could affect a large number of websites, especially those with multiple contributors or editors. The absence of public exploits currently provides a window for remediation, but the high severity score indicates urgent action is necessary to prevent exploitation.

To mitigate CVE-2025-12824, organizations should immediately update the Player Leaderboard plugin to a patched version once available. In the absence of an official patch, administrators should disable or remove the plugin to eliminate the attack surface. Restrict Contributor-level user permissions by reviewing and tightening role capabilities to prevent unauthorized shortcode usage. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests containing path traversal patterns in shortcode parameters. Conduct code audits to ensure all user inputs passed to include() or similar functions are properly sanitized and validated against a whitelist of allowed paths. Monitor server logs for unusual file inclusion attempts or PHP errors indicative of exploitation attempts. Additionally, enforce strict file upload controls and scan uploaded files for malicious content to prevent attackers from leveraging file uploads for remote code execution. Regular backups and incident response plans should be in place to recover quickly if exploitation occurs.