Vulnerabilities and security researches forextensive-vc-addon extensive-vc-addon
Direction: descendingFeb 27, 2026
Extensive VC Addons for WPBakery page builder # CVE-2025-60087
- CVE, Research URL
- Application
- Date
- Feb 20, 2026
- Research Description
- Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Nenad Obradovic Extensive VC Addons for WPBakery page builder extensive-vc-addon allows PHP Local File Inclusion.This issue affects Extensive VC Addons for WPBakery page builder: from n/a through <= 1.9.1.
- Affected versions
-
max 1.9.1.
- Status
-
vulnerable
Jan 11, 2026
Extensive VC Addons for WPBakery page builder # CVE-2025-14475
- CVE, Research URL
- Application
- Date
- Dec 13, 2025
- Research Description
- The Extensive VC Addons for WPBakery page builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9.1 via the `extensive_vc_get_module_template_part` function. This is due to insufficient path normalization and validation of the user-supplied `shortcode_name` parameter in the `extensive_vc_init_shortcode_pagination` AJAX action. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files via the `shortcode_name` parameter.
- Affected versions
-
max 1.9.1.
- Status
-
vulnerable
Jun 07, 2024
Extensive VC Addons for WPBakery page builder # CVE-2023-0159
- CVE, Research URL
- Application
- Date
- Feb 13, 2023
- Research Description
- The Extensive VC Addons for WPBakery page builder WordPress plugin before 1.9.1 does not validate a parameter passed to the php extract function when loading templates, allowing an unauthenticated attacker to override the template path to read arbitrary files from the hosts file system. This may be escalated to RCE using PHP filter chains.
- Affected versions
-
max 1.9.1.
- Status
-
vulnerable