CVE-2025-14475 is a Local File Inclusion vulnerability classified under CWE-98, found in the Extensive VC Addons for WPBakery page builder plugin for WordPress. The vulnerability exists due to insufficient path normalization and validation of the 'shortcode_name' parameter within the 'extensive_vc_init_shortcode_pagination' AJAX action. This flaw allows unauthenticated attackers to manipulate the parameter to include arbitrary PHP files from the server, resulting in remote code execution. The vulnerability affects all plugin versions up to and including 1.9.1. The attack vector is network-based, requiring no authentication or user interaction, but with a high attack complexity due to the need for crafting specific requests. The CVSS v3.1 score is 8.1, reflecting high impact on confidentiality, integrity, and availability. Although no public exploits are known yet, the vulnerability poses a significant risk to WordPress sites using this plugin, as it can lead to full server compromise. The lack of patch links indicates that a fix may not yet be publicly available, emphasizing the need for immediate defensive measures.

For European organizations, this vulnerability can lead to severe consequences including unauthorized access to sensitive data, defacement or disruption of websites, and potential pivoting into internal networks. Organizations relying on WordPress with the affected plugin, particularly in sectors such as e-commerce, media, and government, face risks of data breaches and service outages. The ability for unauthenticated remote attackers to execute arbitrary PHP code elevates the threat to critical infrastructure and business continuity. Additionally, compromised sites could be used to distribute malware or conduct phishing campaigns, impacting reputation and compliance with data protection regulations like GDPR. The widespread use of WordPress in Europe, combined with the plugin’s popularity, increases the potential attack surface significantly.

Until an official patch is released, organizations should implement the following mitigations: 1) Disable or restrict access to the 'extensive_vc_init_shortcode_pagination' AJAX action via web application firewalls or server-level rules to block malicious requests targeting the 'shortcode_name' parameter. 2) Employ strict input validation and sanitization on all user-supplied parameters, especially those involved in file inclusion or execution. 3) Monitor web server logs for suspicious requests attempting to exploit this vulnerability. 4) Limit file permissions on the server to prevent unauthorized PHP file execution and restrict writable directories. 5) Consider temporarily disabling or replacing the Extensive VC Addons plugin if feasible. 6) Keep WordPress core and all plugins updated and subscribe to vendor security advisories for timely patch deployment. 7) Conduct regular security audits and penetration testing focused on plugin vulnerabilities.