Local File Inclusion Vulnerability in News and Blog Designer Bundle Plugin for WordPress
CVE-2025-14502

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: News And Blog Designer Bundle
Vendor: CVE Published:; 14 January 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-14502?

The News and Blog Designer Bundle plugin for WordPress presents a serious Local File Inclusion vulnerability, impacting all versions up to and including 1.1. By exploiting the template parameter, unauthenticated attackers can include and execute arbitrary .php files from the server. This vulnerability not only facilitates the execution of malicious code but also enables attackers to bypass access controls and potentially access sensitive data stored on the server. If PHP file types can be uploaded and included, the implications for security can be severe, reinforcing the need for prompt updates and vigilant management of plugin security.

Affected Version(s)

News and Blog Designer Bundle * <= 1.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

WordPress-News-and-Blog-Designer-Bundle-CVE-2025-14502
Created by Kai-One001

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/news-and-blog-...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Jan 15, 2026
👾
Exploit known to exist
Jan 15, 2026
Vulnerability published
Jan 14, 2026
Vulnerability Reserved
Dec 10, 2025

Credit

Itthidej Aramsri

JSON