CVE-2025-14475 is a Local File Inclusion vulnerability classified under CWE-98, found in the Extensive VC Addons for WPBakery page builder plugin for WordPress. The flaw exists in the 'extensive_vc_get_module_template_part' function, specifically in the handling of the 'shortcode_name' parameter within the 'extensive_vc_init_shortcode_pagination' AJAX action. Due to insufficient path normalization and validation, attackers can manipulate this parameter to include arbitrary PHP files from the server. This inclusion leads to the execution of any PHP code contained in those files, effectively enabling remote code execution without requiring authentication or user interaction. The vulnerability affects all plugin versions up to and including 1.9.1. The CVSS v3.1 score is 8.1, indicating high severity, with network attack vector, high attack complexity, no privileges required, no user interaction, and full impact on confidentiality, integrity, and availability. While no public exploits are currently known, the vulnerability's nature and the popularity of WPBakery page builder and its addons make it a critical risk for WordPress sites. Attackers could leverage this flaw to compromise web servers, steal sensitive data, deploy malware, or pivot within networks. The lack of available patches at the time of disclosure necessitates immediate mitigation efforts by administrators.

For European organizations, this vulnerability poses a significant risk to websites and web applications built on WordPress using the Extensive VC Addons for WPBakery page builder plugin. Successful exploitation can lead to full server compromise, data breaches, defacement, or use of the server as a launchpad for further attacks. Given the widespread adoption of WordPress in Europe, including by SMEs, government agencies, and e-commerce platforms, the potential impact includes loss of customer trust, regulatory penalties under GDPR for data breaches, operational disruption, and financial losses. The ability to execute arbitrary PHP code remotely without authentication increases the threat level, especially for organizations lacking robust web application firewalls or monitoring. The vulnerability could also be exploited to deploy ransomware or other malware, amplifying the impact. Organizations relying on this plugin must consider the risk to their web infrastructure and data confidentiality, particularly those handling personal or sensitive information.

Immediate mitigation steps include disabling or removing the Extensive VC Addons for WPBakery page builder plugin until a vendor patch is released. Administrators should monitor web server logs for suspicious AJAX requests targeting the 'extensive_vc_init_shortcode_pagination' action with unusual 'shortcode_name' parameters. Implementing a Web Application Firewall (WAF) with custom rules to block requests containing directory traversal patterns or unexpected input in this parameter can reduce exposure. Restricting file permissions on the server to prevent unauthorized PHP file inclusion and execution is critical. Organizations should also ensure their WordPress core, themes, and plugins are regularly updated and conduct security audits focusing on plugin vulnerabilities. If patching is delayed, consider isolating the affected web servers behind reverse proxies or network segmentation to limit attacker access. Backup critical data and verify restoration procedures to mitigate potential damage from exploitation. Finally, educate web administrators about this vulnerability and encourage vigilance for indicators of compromise.