CVE-2025-13886 is a Local File Inclusion vulnerability classified under CWE-98 that affects the LT Unleashed WordPress plugin (all versions up to 1.1.1). The flaw exists due to improper control of the filename passed to the include/require statement within the 'book' shortcode's 'template' parameter. Specifically, the plugin fails to adequately sanitize or validate this parameter, enabling authenticated users with Contributor-level privileges or higher to manipulate the file path and include arbitrary files from the server. This can lead to the execution of arbitrary PHP code contained in those files. Attackers can exploit this to bypass WordPress access controls, read sensitive configuration files such as wp-config.php, and execute malicious code remotely. The vulnerability requires the attacker to have at least Contributor-level access, which is a low privilege level in WordPress, but no additional user interaction is needed. The CVSS v3.1 score is 7.5 (high), reflecting network attack vector, high impact on confidentiality, integrity, and availability, and the requirement for low privileges but high attack complexity. No public exploits have been reported yet, but the vulnerability poses a significant risk to affected installations. The plugin is widely used in WordPress environments, which are common in European organizations for websites and e-commerce platforms. The lack of a patch at the time of publication necessitates immediate mitigation steps to reduce exposure.

The impact of CVE-2025-13886 on European organizations is substantial due to the widespread use of WordPress and its plugins across various sectors including government, education, media, and commerce. Successful exploitation allows attackers to execute arbitrary PHP code on the web server, potentially leading to full site compromise, data breaches involving sensitive information such as customer data or internal credentials, and disruption of services. This can damage organizational reputation, lead to regulatory non-compliance (e.g., GDPR violations), and incur financial losses. Since the vulnerability requires only Contributor-level access, which is commonly granted to content creators and editors, insider threats or compromised user accounts can be leveraged to exploit this flaw. The ability to include critical files like wp-config.php can expose database credentials, enabling further lateral movement or persistent access. The high confidentiality, integrity, and availability impacts make this a critical concern for European entities relying on WordPress for their digital presence.

1. Immediately restrict Contributor-level permissions to trusted users only and review existing user roles to minimize exposure. 2. Monitor and audit user activity for suspicious behavior, especially for users with Contributor or higher privileges. 3. Implement strict input validation and sanitization at the web application level, particularly for parameters that control file inclusion. 4. Deploy a Web Application Firewall (WAF) with rules tailored to detect and block Local File Inclusion attempts targeting the 'template' parameter or similar vectors. 5. Regularly update the LT Unleashed plugin to the latest version once a patch addressing this vulnerability is released by the vendor. 6. Consider temporarily disabling or removing the vulnerable plugin if immediate patching is not possible. 7. Harden the server environment by restricting PHP file execution permissions and isolating WordPress directories to limit the impact of potential code execution. 8. Conduct penetration testing and vulnerability scanning focused on file inclusion and privilege escalation vectors to identify and remediate similar issues.