Local PHP File Inclusion Vulnerability in Age Gate Plugin by WordPress

CVE-2025-2505

What is CVE-2025-2505?

CVE-2025-2505 is a security vulnerability found in the Age Gate plugin for WordPress, developed by Philsbury. The purpose of this plugin is to manage age verification for accessing content on WordPress sites. However, this vulnerability allows unauthenticated attackers to exploit a flaw in the plugin via the 'lang' parameter, enabling them to include and execute arbitrary PHP files on the server. Consequently, this can lead to unauthorized code execution, potentially undermining the security of websites that depend on this plugin, and jeopardizing sensitive data.

Technical Details

The vulnerability is categorized as a Local PHP File Inclusion (LFI) issue, affecting all versions of the Age Gate plugin up to and including 3.5.3. Attackers can leverage this flaw by manipulating the 'lang' parameter, allowing the inclusion of PHP files stored on the server. The resulting exploitation can facilitate various attacks, including access control bypass and execution of malicious code embedded in these PHP files. This makes the vulnerability particularly critical as it affects an integral part of many WordPress-based websites' age verification process.

Potential Impact of CVE-2025-2505

1. Unauthorized Code Execution: Exploitation of this vulnerability can allow unauthorized users to execute arbitrary PHP code on the server. This control can lead to complete system compromise.

2. Data Breaches: Attackers can gain access to sensitive information by bypassing access controls, potentially leading to the unauthorized disclosure of personal data stored in the affected systems.

3. Increased Attack Surface: The existence of this vulnerability can attract additional attacks on the server, as it opens a pathway for further exploitation, enabling attackers to deploy additional malicious activities, including data exfiltration and malware installation.

References