CVE-2025-11722 Overview
CVE-2025-11722 is a Local File Inclusion (LFI) vulnerability in the WooCommerce Category and Products Accordion Panel plugin for WordPress. The flaw affects all versions up to and including 1.0. The vulnerability resides in the categoryaccordionpanel shortcode, which fails to properly validate file paths before inclusion. Authenticated attackers with Contributor-level access or above can include and execute arbitrary .php files on the server. The issue is classified under CWE-98, Improper Control of Filename for Include/Require Statement in PHP Program.
Critical Impact
Authenticated attackers can execute arbitrary PHP code by abusing the vulnerable shortcode, enabling access control bypass, sensitive data disclosure, and full remote code execution when combined with file upload primitives.
Affected Products
- WooCommerce Category and Products Accordion Panel plugin for WordPress
- All versions up to and including 1.0
- WordPress sites with Contributor-level or higher user registration enabled
Discovery Timeline
- 2025-10-15 - CVE-2025-11722 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-11722
Vulnerability Analysis
The plugin exposes a categoryaccordionpanel shortcode that accepts user-supplied input used to construct a file path passed to a PHP include or require statement. Because the input is not sanitized against directory traversal sequences or restricted to an allowlist, an authenticated user can supply a path that resolves to arbitrary .php files on the server filesystem. Contributor-level accounts in WordPress can create posts containing shortcodes, which is sufficient to trigger the vulnerable code path referenced in the plugin's include/categoryaccordionpanel.php and include/abstract.php source files.
Root Cause
The root cause is improper control of the filename passed to a PHP include statement [CWE-98]. The shortcode handler concatenates attacker-controlled data into a path used by include or require without normalization or an allowlist of permitted templates. Any file with a .php extension reachable from the web server user account can be included and executed within the WordPress request context.
Attack Vector
An authenticated attacker holding a Contributor role or higher creates or edits content that embeds the categoryaccordionpanel shortcode with a crafted attribute pointing at a target file. Rendering the post causes the plugin to include the attacker-specified PHP file. If the attacker can place a .php file on the server through another primitive such as an image upload with polyglot content, log poisoning, or a writable temporary directory, the LFI becomes a reliable remote code execution primitive. See the Wordfence Vulnerability Analysis for reference details and the vulnerable source in categoryaccordionpanel.php.
No verified public exploit code is available at this time. Refer to the linked plugin source files for technical review.
Detection Methods for CVE-2025-11722
Indicators of Compromise
- Post or page revisions authored by Contributor accounts containing the [categoryaccordionpanel] shortcode with unusual file, path, or template attribute values.
- Web server access logs showing POST requests to wp-admin/post.php or wp-admin/admin-ajax.php from low-privilege users followed by rendering requests to the affected post.
- PHP error log entries referencing include() or require() failures with path traversal sequences such as ../ targeting files outside the plugin directory.
- Unexpected outbound network connections or new PHP files under wp-content/uploads/ created shortly after Contributor activity.
Detection Strategies
- Audit the WordPress wp_posts table for shortcode invocations of categoryaccordionpanel and inspect attribute values for path traversal patterns.
- Deploy a Web Application Firewall rule that inspects shortcode attributes for ../, absolute paths, and .php suffixes in requests to posts using the plugin.
- Correlate low-privilege user session activity with file inclusion errors in PHP-FPM or Apache error logs.
Monitoring Recommendations
- Monitor creation of new Contributor and Author accounts and flag those that immediately publish or preview posts containing shortcodes.
- Track file integrity for the wp-content/plugins/accordion-panel-for-category-and-products/ directory and wp-content/uploads/ subdirectories.
- Alert on PHP process executions spawning shell interpreters, outbound curl or wget calls, or writes to WordPress core files.
How to Mitigate CVE-2025-11722
Immediate Actions Required
- Deactivate and remove the WooCommerce Category and Products Accordion Panel plugin until a patched release is verified.
- Restrict user registration and audit existing Contributor, Author, and Editor accounts, removing any that are unrecognized.
- Rotate WordPress secret keys in wp-config.php and force password resets for all privileged users if the plugin has been active.
- Review web server and PHP logs for prior exploitation attempts referencing the categoryaccordionpanel shortcode.
Patch Information
At the time of this writing, no fixed version has been published by the plugin vendor beyond the affected 1.0 release. Administrators should track the plugin listing on WordPress.org and the Wordfence advisory for release of a patched version. Until a fix is published, removal is the recommended mitigation.
Workarounds
- Disable the plugin at the filesystem level by renaming its directory under wp-content/plugins/.
- Enforce least-privilege by demoting Contributor accounts that do not require content creation and disabling open registration.
- Configure PHP open_basedir to restrict includes to the WordPress installation directory, blocking traversal to system paths.
- Deploy WAF signatures that block shortcode parameters containing ../, null bytes, or absolute filesystem paths.
# Configuration example: restrict PHP file inclusion scope via open_basedir
# Add to php.ini or the site's PHP-FPM pool configuration
open_basedir = "/var/www/html/:/tmp/"
# Disable the vulnerable plugin from the command line via WP-CLI
wp plugin deactivate accordion-panel-for-category-and-products
wp plugin delete accordion-panel-for-category-and-products
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

