CVE-2025-8905 is a remote code execution (RCE) vulnerability identified in the Inpersttion For Theme WordPress plugin, affecting all versions up to and including 1.0. The vulnerability arises from improper control over code generation (CWE-94) within the theme_section_shortcode() function. Specifically, the plugin does not restrict which functions can be invoked, enabling authenticated attackers with Contributor-level or higher privileges to execute arbitrary functions on the server. Notably, the exploit does not allow user-supplied parameters, limiting the scope of function calls but still enabling significant control over server-side execution. The vulnerability requires authentication but no user interaction, and the attack surface includes any WordPress site using this plugin. The CVSS 3.1 base score is 6.3, reflecting network attack vector, low attack complexity, and privileges required. The impact spans confidentiality, integrity, and availability, as arbitrary code execution can lead to data exposure, modification, or service disruption. No known public exploits or patches exist at the time of publication, increasing the urgency for mitigation. The vulnerability was reserved on August 12, 2025, and published on August 15, 2025, by Wordfence. This flaw highlights the risks of insufficient function call restrictions in plugin code, especially in popular CMS environments like WordPress.

The vulnerability allows authenticated users with Contributor-level access or higher to execute arbitrary code on the hosting server, which can lead to full compromise of the affected WordPress site. This includes unauthorized data access, modification, deletion, or disruption of service (denial of service). Attackers could leverage this to deploy backdoors, pivot to other internal systems, or deface websites. Since Contributor roles are commonly assigned to trusted users or content creators, the risk of insider threats or compromised accounts is significant. The vulnerability affects all installations of the Inpersttion For Theme plugin up to version 1.0, potentially impacting thousands of WordPress sites globally. The lack of user interaction requirement and low attack complexity increase the likelihood of exploitation once credentials are obtained. Although no public exploits are currently known, the vulnerability’s nature makes it a high-value target for attackers seeking persistent access or lateral movement within compromised environments.

1. Immediately restrict Contributor-level access and above to only trusted users until a patch is available. 2. Monitor WordPress logs and server activity for unusual function calls or code execution patterns related to the theme_section_shortcode() function. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious shortcode usage or function invocation attempts. 4. Disable or remove the Inpersttion For Theme plugin if it is not essential to reduce attack surface. 5. Apply the vendor patch promptly once released, and verify the update addresses the function call restriction issue. 6. Enforce strong authentication and credential hygiene to prevent account compromise of users with Contributor or higher privileges. 7. Conduct regular security audits and vulnerability scans focusing on WordPress plugins and themes. 8. Consider isolating WordPress environments to limit the impact of potential code execution exploits. 9. Educate site administrators and content contributors about the risks of privilege misuse and suspicious activity reporting.