CVE-2025-13886 is a Local File Inclusion vulnerability classified under CWE-98, found in the LT Unleashed plugin for WordPress. The flaw exists in all versions up to and including 1.1.1, specifically in the handling of the 'template' parameter within the 'book' shortcode. Due to insufficient path sanitization, authenticated users with Contributor-level access or higher can manipulate this parameter to include arbitrary files from the server filesystem. This inclusion allows the execution of any PHP code contained within those files, effectively enabling remote code execution (RCE). The vulnerability can be exploited without user interaction once authenticated, but requires at least Contributor privileges, which are commonly assigned to trusted users or content creators. The exploitation can lead to bypassing WordPress access controls, exposure of sensitive configuration files such as wp-config.php, and full compromise of the hosting environment. The CVSS v3.1 base score is 7.5, with vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network attack vector, high attack complexity, low privileges required, no user interaction, unchanged scope, and high impact on confidentiality, integrity, and availability. No public patches or known exploits are currently documented, but the vulnerability's nature makes it a critical concern for affected sites.

The impact of CVE-2025-13886 is substantial for organizations using the LT Unleashed WordPress plugin. Successful exploitation can lead to remote code execution on the web server, allowing attackers to execute arbitrary PHP code, which can result in full server compromise. This includes the ability to bypass WordPress access controls, escalate privileges, access sensitive data such as database credentials stored in wp-config.php, and potentially pivot to other internal systems. The availability of the website or application can also be disrupted by malicious code execution. Since the vulnerability requires only Contributor-level access, attackers who have obtained or compromised such accounts can leverage this flaw to escalate their privileges and control the server environment. This poses a significant risk to data confidentiality, integrity, and availability, potentially leading to data breaches, defacement, or service outages. Organizations relying on this plugin for content management or e-commerce should consider the risk of reputational damage, regulatory penalties, and operational disruption.

To mitigate CVE-2025-13886, organizations should immediately update the LT Unleashed plugin to a patched version once available. In the absence of an official patch, administrators should restrict Contributor-level access to trusted users only and audit existing user roles for unnecessary privileges. Implementing Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the 'template' parameter can reduce exploitation risk. Additionally, disabling the vulnerable shortcode or removing the plugin temporarily can prevent attacks. Harden the server by restricting PHP file inclusion paths and disabling remote file inclusion in PHP configuration. Regularly monitor server logs for unusual file inclusion attempts or privilege escalations. Employ the principle of least privilege for WordPress roles and ensure strong authentication mechanisms are in place. Conduct security assessments and penetration testing focused on file inclusion vulnerabilities to identify residual risks. Finally, maintain regular backups and incident response plans to recover quickly if exploitation occurs.