Age Gate < 3.5.4 – Unauthenticated Local PHP File Inclusion via 'lang' | CVE 2025-2505 | Plugin Vulnerabilities

Description

The Age Gate plugin for WordPress is vulnerable to Local PHP File Inclusion in all versions up to, and including, 3.5.3 via the 'lang' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files on the server, allowing the execution of code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Affects Plugins

Fixed in 3.5.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/d6ac2996-098f-474c-b44e-78d5af7b503a

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

mikemyers

Verified

No

WPVDB ID

968445a0-a42a-4368-8631-7f166227a47f

Timeline

Publicly Published

2025-03-19 (about 1 year ago)

Added

2025-03-19 (about 1 year ago)

Last Updated

2025-03-20 (about 1 year ago)

Other

Published

Title

Published

2025-10-03

Title

PixelYourSite < 11.1.2 - Admin+ LFI

Published

2025-07-17

Title

School Management System for Wordpress < 1.93.1 (02-07-2025) - Authenticated (Subscriber+) Local File Inclusion to Privilege Escalation via Password Update

Published

2015-08-02

Title

simple-image-manipulator <= 1.0 - Remote File Download

Published

2024-09-23

Title

WooEvents < 4.1.3 - Unauthenticated Arbitrary File Overwrite

Published

2021-06-23

Title

WP Image Zoom < 1.47 - Local File Inclusion