CVE Alert: CVE-2025-11722 - ikhodal - Woocommerce Category and Products Accordion Panel

CVE-2025-11722

HIGHNo exploitation known

The Woocommerce Category and Products Accordion Panel plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0 via the ‘categoryaccordionpanel’ shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.

CVSS v3.1 (7.5)

Vendor

ikhodal

Product

Woocommerce Category and Products Accordion Panel

Versions

* lte 1.0

CWE

CWE-98, CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)

Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Published

2025-10-15T08:25:56.072Z

Updated

2025-10-15T14:43:16.924Z

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/55315ba1-cbb8-4ce1-96c6-30a02611ba47?source=cve

https://plugins.trac.wordpress.org/browser/accordion-panel-for-category-and-products/tags/1.0/include/categoryaccordionpanel.php#L87

https://plugins.trac.wordpress.org/browser/accordion-panel-for-category-and-products/tags/1.0/include/abstract.php#L256

AI Summary Analysis

Risk verdict: High risk of authenticated local file inclusion leading to PHP code execution, with no active exploitation indicated at present.

Why this matters: An attacker with Contributor+ access can include arbitrary PHP files on the server, potentially bypassing controls and reading or modifying data. In a WordPress e-commerce context, this can lead to payment data exposure, site defacement, or complete server compromise if further code execution is achieved.

Most likely attack path: Requires authenticated access at Contributor level or above (PR:L), with no user interaction (UI:N). The attacker leverages the shortcode parameter to trigger LFI, enabling inclusion of server-side PHP files and resulting in full code execution (C/H I/H A/H). The scope is user-level and local to the hosting environment, but successful compromise can enable lateral movement within the site if the PHP code interacts with other components.

Who is most exposed: WordPress sites using this plugin, especially stores with contributor/admin workflows and shared hosting where multiple editors have access. Sites allowing shortcode-based content or file uploads elevate exposure risk.

Detection ideas:

Logs show requests manipulating the categoryaccordionpanel shortcode or PHP include attempts.
Unusual PHP execution events or errors referencing included files in the plugin path.
Abnormal file read/write activity around plugin directories.
Repeated 500s or code execution traces following shortcode usage.

Mitigation and prioritisation:

Apply available patch or upgrade beyond 1.0; if unavailable, disable the plugin.
Enforce least-privilege for all contributors; revoke unnecessary editor capabilities.
Implement WAF/IPS rules to detect LFI patterns; block suspicious shortcode parameters.
Enable file integrity monitoring around plugin and PHP include paths.
Change-management: test in staging before rollout; monitor for post-patch anomalies.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: CVE, cve-2025-11722, ikhodal, OSINT, threatintel, woocommerce-category-and-products-accordion-panel