CVE-2025-13886 is a Local File Inclusion vulnerability classified under CWE-98, found in the LT Unleashed WordPress plugin (versions up to and including 1.1.1). The vulnerability stems from improper control of the filename used in an include/require statement within the plugin's 'book' shortcode, specifically the 'template' parameter. Because the plugin does not sufficiently sanitize this parameter, authenticated users with Contributor-level privileges or higher can manipulate the parameter to include arbitrary files from the server's filesystem. This can lead to arbitrary PHP code execution if the included files contain executable PHP code. Attackers can leverage this to bypass WordPress access controls, access sensitive configuration files such as wp-config.php, or execute malicious payloads, potentially leading to full site compromise. The vulnerability is remotely exploitable over the network without user interaction but requires authentication with low privileges, making it a significant threat. The CVSS v3.1 score is 7.5, reflecting high impact on confidentiality, integrity, and availability, with a higher attack complexity due to the need for authenticated access. No patches or official fixes are currently linked, and no known exploits have been reported in the wild, indicating a window for proactive mitigation. The vulnerability affects all versions of the LT Unleashed plugin up to 1.1.1, which is used in WordPress environments, a widely deployed CMS platform.

For European organizations, this vulnerability poses a serious risk, especially for those relying on WordPress with the LT Unleashed plugin installed. Exploitation can lead to unauthorized disclosure of sensitive data, including database credentials and other configuration secrets, resulting in data breaches. The ability to execute arbitrary PHP code can allow attackers to implant backdoors, deface websites, or pivot to internal networks, severely impacting business continuity and reputation. Organizations in sectors such as e-commerce, media, education, and government that use WordPress extensively are particularly vulnerable. The requirement for authenticated access somewhat limits the attack surface but does not eliminate risk, as Contributor-level accounts are common in collaborative environments. The lack of known exploits in the wild suggests that attackers may develop exploits soon, increasing the urgency for mitigation. Additionally, compromised WordPress sites can be used as launchpads for further attacks within European networks, amplifying the threat.

Immediate mitigation should focus on restricting access to the 'template' parameter by implementing strict input validation and sanitization to prevent directory traversal or arbitrary file inclusion. Organizations should audit user roles and permissions to minimize the number of users with Contributor-level or higher access, enforcing the principle of least privilege. Monitoring and logging access to the vulnerable shortcode can help detect exploitation attempts. Since no official patch is currently available, consider temporarily disabling the LT Unleashed plugin or removing the vulnerable shortcode if feasible. Employ Web Application Firewalls (WAFs) with custom rules to block suspicious requests targeting the 'template' parameter. Regularly update WordPress core and plugins to the latest versions once a patch is released. Conduct security awareness training for administrators and content contributors to recognize and report suspicious activity. Finally, perform regular backups and have an incident response plan ready to quickly recover from potential compromises.