CVE-2025-14475 is a Local File Inclusion vulnerability classified under CWE-98, affecting the Extensive VC Addons for WPBakery page builder plugin for WordPress, specifically all versions up to 1.9.1. The vulnerability exists in the 'extensive_vc_get_module_template_part' function, which is called by the 'extensive_vc_init_shortcode_pagination' AJAX action. This function fails to properly normalize and validate the 'shortcode_name' parameter supplied by users, allowing attackers to manipulate the file path used in PHP's include or require statements. By exploiting this, an unauthenticated attacker can include arbitrary PHP files from the server or potentially remote locations if remote file inclusion is enabled, leading to arbitrary code execution. The vulnerability has a CVSS 3.1 base score of 8.1, indicating high severity, with attack vector network (AV:N), attack complexity high (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no exploits are currently known in the wild, the risk is significant due to the widespread use of WPBakery and its addons in WordPress sites. The vulnerability allows attackers to execute PHP code remotely, which can lead to full system compromise, data theft, defacement, or further pivoting within the network.

The impact of CVE-2025-14475 is severe for organizations using the Extensive VC Addons for WPBakery page builder plugin. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary PHP code on the web server. This can result in complete compromise of the affected web server, including unauthorized access to sensitive data, modification or deletion of website content, installation of backdoors or malware, and lateral movement within the organization's network. Given the plugin's integration with WordPress, a widely used CMS, many websites, including corporate, e-commerce, and government portals, could be affected. The vulnerability's unauthenticated nature increases the risk, as attackers do not need valid credentials or user interaction to exploit it. This could lead to widespread defacements, data breaches, and service disruptions, severely impacting organizational reputation, compliance, and operational continuity.

To mitigate CVE-2025-14475, organizations should take the following specific actions: 1) Immediately check for and apply any official patches or updates released by the plugin vendor nenad-obradovic; if no patch is available, consider disabling or removing the Extensive VC Addons plugin until a fix is released. 2) Restrict access to the 'extensive_vc_init_shortcode_pagination' AJAX endpoint by implementing IP whitelisting or authentication mechanisms at the web server or application firewall level to prevent unauthenticated access. 3) Employ a Web Application Firewall (WAF) with custom rules to detect and block suspicious requests attempting to manipulate the 'shortcode_name' parameter or include unexpected file paths. 4) Conduct thorough code reviews and audits of custom or third-party plugins to identify and remediate improper input validation and path normalization issues. 5) Monitor web server logs for unusual file inclusion attempts or anomalous AJAX requests targeting the vulnerable function. 6) Harden PHP configurations by disabling remote file inclusion (allow_url_include=Off) and restricting file system permissions to limit the impact of potential exploitation. 7) Educate development and security teams on secure coding practices related to file inclusion and input validation to prevent similar vulnerabilities in the future.