cleantalk
Vulnerabilities and Security Researches

Extensive VC Addons for WPBakery page builder, CVE-2025-14475

CVE, Research URL

CVE-2025-14475

Home page URL

Security reports for Extensive VC Addons for WPBakery page builder

Application

Extensive VC Addons for WPBakery page builder

Published on
Dec 13, 2025
Research Description
The Extensive VC Addons for WPBakery page builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9.1 via the `extensive_vc_get_module_template_part` function. This is due to insufficient path normalization and validation of the user-supplied `shortcode_name` parameter in the `extensive_vc_init_shortcode_pagination` AJAX action. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files via the `shortcode_name` parameter.
Affected versions
max 1.9.1.
Status
vulnerable
Previous vulnerability researches
Extensive VC Addons for WPBakery page builder (CVE-2025-14475) , Jan 11, 2026
Extensive VC Addons for WPBakery page builder (CVE-2025-60087) , Feb 27, 2026
Extensive VC Addons for WPBakery page builder (CVE-2023-0159) , Jun 07, 2024
New vulnerability
myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin (CVE-2026-24951) , Feb 27, 2026
myCred – Points, Rewards, Gamification, Ranks, Badges & Loyalty Plugin (CVE-2026-27440) , Feb 27, 2026
eDS Responsive Menu (CVE-2025-68845) , Feb 27, 2026
s2Member – Best Membership Plugin for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscription (CVE-2025-13732) , Feb 27, 2026
Run Contests, Raffles, and Giveaways with ContestsWP (CVE-2026-25023) , Feb 27, 2026