The Player Leaderboard plugin for WordPress, up to version 1.0.2, contains a critical Local File Inclusion vulnerability identified as CVE-2025-12824. This vulnerability arises from improper validation of the 'mode' attribute in the 'player_leaderboard' shortcode, which is directly passed to a PHP include() function without sanitization. This CWE-22 path traversal flaw allows an authenticated attacker with at least Contributor-level privileges to manipulate the 'mode' parameter to include arbitrary PHP files from the server. Exploiting this flaw can lead to execution of arbitrary PHP code, enabling attackers to bypass access controls, access sensitive files, or execute remote code if combined with file upload vulnerabilities. The attack vector requires network access and authentication but no user interaction beyond that. The vulnerability has a CVSS 3.1 base score of 8.8, reflecting its high impact on confidentiality, integrity, and availability. No official patches or updates have been released at the time of publication, and no active exploitation has been reported. The plugin's widespread use in WordPress environments makes this a significant threat, especially in scenarios where Contributor-level access is granted to untrusted users or where file upload capabilities exist. The vulnerability underscores the importance of input validation and secure coding practices in WordPress plugin development.

For European organizations, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of web servers running vulnerable versions of the Player Leaderboard plugin. Exploitation can lead to unauthorized disclosure of sensitive data, including configuration files, user data, and potentially credentials stored on the server. Attackers can also execute arbitrary PHP code, which may result in full system compromise, defacement, or use of the server as a pivot point for further attacks within the network. Organizations relying on WordPress for public-facing websites or internal portals are at risk, especially if Contributor or higher privileges are granted to external or less-trusted users. The absence of patches increases the window of exposure, and the potential for combining this vulnerability with file upload flaws exacerbates the threat. Disruption of services or data breaches could lead to regulatory penalties under GDPR and damage to reputation. The impact is heightened in sectors with stringent data protection requirements, such as finance, healthcare, and government institutions across Europe.

1. Immediately audit and restrict Contributor-level and higher access to trusted users only, minimizing the risk of exploitation. 2. Disable or remove the Player Leaderboard plugin if it is not essential to reduce the attack surface. 3. Implement Web Application Firewall (WAF) rules to detect and block attempts to exploit the 'mode' parameter in the shortcode. 4. Monitor server logs for unusual include() calls or access patterns indicative of path traversal attempts. 5. Enforce strict file upload controls and scanning to prevent attackers from uploading malicious PHP files that could be included via this vulnerability. 6. Employ principle of least privilege on the web server and PHP execution environment to limit the impact of code execution. 7. Keep WordPress core and all plugins updated; monitor vendor announcements for patches or updates addressing this vulnerability. 8. Consider isolating WordPress instances in containerized or sandboxed environments to contain potential compromises. 9. Conduct regular security assessments and penetration tests focusing on plugin vulnerabilities and privilege escalation paths. 10. Educate administrators and developers about secure coding practices, especially input validation and sanitization.