CVE-2025-7650 is a Local File Inclusion vulnerability identified in the BizCalendar Web plugin for WordPress, affecting all versions up to 1.1.0.50. The vulnerability arises from improper validation and control of filenames passed to PHP include or require statements within the 'bizcalv' shortcode functionality. Authenticated users with Contributor or higher privileges can manipulate the shortcode to include arbitrary files from the server filesystem. This can lead to execution of arbitrary PHP code if an attacker uploads files containing malicious code, even if the files are disguised as images or other typically safe file types. The flaw is categorized under CWE-98, which involves improper control of filenames used in include/require statements, leading to remote file inclusion or local file inclusion attacks. The CVSS v3.1 base score is 7.5, reflecting high severity due to network attack vector, low privileges required, no user interaction needed, and high impact on confidentiality, integrity, and availability. Although no exploits have been reported in the wild yet, the vulnerability poses a significant risk due to the widespread use of WordPress and the plugin’s functionality. The vulnerability allows attackers to bypass access controls, execute arbitrary code, and potentially gain full control over the affected web server environment. The lack of an official patch at the time of disclosure necessitates immediate mitigation efforts by administrators.

The impact of CVE-2025-7650 is substantial for organizations running WordPress sites with the BizCalendar Web plugin installed. Successful exploitation can lead to remote code execution on the web server, enabling attackers to execute arbitrary PHP code, escalate privileges, and potentially take full control of the hosting environment. This can result in data breaches, defacement, deployment of malware or ransomware, and lateral movement within the network. Confidential information stored or processed by the website can be exposed or altered, and the availability of the service can be disrupted. Since the vulnerability requires only Contributor-level authentication, it lowers the barrier for exploitation inside organizations or via compromised accounts. The ability to upload and include files disguised as safe types further increases the attack surface. Given WordPress’s popularity globally, this vulnerability could affect a wide range of sectors including e-commerce, media, education, and government websites, potentially causing significant operational and reputational damage.

To mitigate CVE-2025-7650, organizations should immediately audit their WordPress installations for the presence of the BizCalendar Web plugin and disable or remove it if not essential. Until an official patch is released, restrict Contributor-level and higher permissions strictly to trusted users to reduce the risk of exploitation. Implement web application firewall (WAF) rules to detect and block attempts to exploit the 'bizcalv' shortcode or suspicious file inclusion patterns. Harden file upload functionality by enforcing strict file type validation, scanning uploaded files for malicious content, and storing uploads outside the web root to prevent direct inclusion. Monitor logs for unusual shortcode usage or file access patterns indicative of exploitation attempts. Consider deploying runtime application self-protection (RASP) solutions to detect and block LFI attacks in real time. Once a patch becomes available, apply it promptly. Additionally, conduct regular security assessments and maintain least privilege principles for user roles within WordPress to minimize attack vectors.