CVE-2025-14502: News and Blog Designer Bundle <= 1.1 - Unauthenticated Local File Inclusion

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-14502

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

News and Blog Designer Bundle <= 1.1 - Unauthenticated Local File Inclusion

Source: NVD (National Vulnerability Database)

Vulnerability Description

The News and Blog Designer Bundle plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1 via the template parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Source: NVD (National Vulnerability Database)

Vulnerability Type

PHP程序中Include/Require语句包含文件控制不恰当(PHP远程文件包含)

Source: NVD (National Vulnerability Database)

Vulnerability Title

WordPress plugin News and Blog Designer Bundle 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress plugin News and Blog Designer Bundle 1.1及之前版本存在安全漏洞，该漏洞源于template参数处理不当，可能导致本地文件包含攻击。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
vaghasia3	News and Blog Designer Bundle	* ~ 1.1	-

II. Public POCs for CVE-2025-14502

#	POC Description	Source Link	Shenlong Link
1	WordPress的News and Blog Designer Bundle插件在1.1及之前所有版本中，存在通过template参数导致的本地文件包含漏洞。该漏洞使得未经身份验证的攻击者能够包含并执行服务器上的任意.php文件，从而运行这些文件中的任何PHP代码。在允许上传和包含.php文件类型的场景下，攻击者可利用此漏洞绕过访问控制、获取敏感数据或实现代码执行。	https://github.com/Kai-One001/WordPress-News-and-Blog-Designer-Bundle-CVE-2025-14502	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2025-14502

Please Login to view more intelligence information

IV. Related Vulnerabilities

Same weakness: CWE-98

V. Comments for CVE-2025-14502

Anonymous User

2026-01-15 06:08:25

Zaproxy alias impedit expedita quisquam pariatur exercitationem. Nemo rerum eveniet dolores rem quia dignissimos.

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2025-14502

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2025-14502

III. Intelligence Information for CVE-2025-14502

IV. Related Vulnerabilities

V. Comments for CVE-2025-14502

Anonymous User

Leave a comment