CVE-2025-4200 Overview
CVE-2025-4200 is a Local File Inclusion (LFI) vulnerability in the Zagg - Electronics & Accessories WooCommerce WordPress Theme. All versions up to and including 1.4.1 are affected. The flaw resides in the load_view() function, which is invoked through at least three AJAX actions: load_more_post, load_shop, and load_more_product. Unauthenticated attackers can include and execute arbitrary files on the server, leading to PHP code execution. The vulnerability is tracked under CWE-98 (Improper Control of Filename for Include/Require Statement).
Critical Impact
Unauthenticated attackers can execute arbitrary PHP code, bypass access controls, and exfiltrate sensitive data from affected WordPress sites.
Affected Products
- Zagg - Electronics & Accessories WooCommerce WordPress Theme versions 1.0 through 1.4.1
- WordPress installations distributing the theme via ThemeForest
- Sites exposing the load_more_post, load_shop, or load_more_product AJAX endpoints
Discovery Timeline
- 2025-06-14 - CVE-2025-4200 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-4200
Vulnerability Analysis
The vulnerability stems from unsafe handling of user-controlled input passed to PHP include or require statements inside the theme's load_view() function. WordPress themes commonly use AJAX handlers to render partial templates. In Zagg, three handlers — load_more_post, load_shop, and load_more_product — pass attacker-controlled view names directly into a file inclusion call.
Because the AJAX handlers are registered under the wp_ajax_nopriv_ hook, no authentication is required to invoke them. Successful exploitation lets attackers traverse the filesystem and include any PHP-parseable file the web server can read. When combined with file upload primitives — even those limited to image types — attackers can pivot from LFI to remote code execution by including a polyglot file that contains embedded PHP.
Root Cause
The root cause is missing input validation and sanitization in load_view(). The function accepts a view identifier from the AJAX request and concatenates it into a path used by include. There is no allowlist of permitted view names, no normalization to strip ../ sequences, and no enforcement of a base directory. This pattern matches CWE-98 — PHP Remote File Inclusion through an unvalidated filename.
Attack Vector
An attacker sends an unauthenticated HTTP POST request to wp-admin/admin-ajax.php with the action parameter set to load_more_post, load_shop, or load_more_product. The request body includes a view parameter pointing to a path traversal payload or a previously uploaded file. The server executes the targeted PHP file in the context of the WordPress process. Refer to the Wordfence Vulnerability Report for additional technical details.
Detection Methods for CVE-2025-4200
Indicators of Compromise
- POST requests to /wp-admin/admin-ajax.php containing action=load_more_post, action=load_shop, or action=load_more_product with view parameters that include path traversal sequences such as ../ or absolute filesystem paths.
- Unexpected PHP files written to wp-content/uploads/ or other writable directories, particularly files with double extensions like .jpg.php or image files with embedded PHP tags.
- Web server access logs showing repeated AJAX requests from a single source referencing the affected actions outside of normal browsing patterns.
Detection Strategies
- Inspect HTTP request bodies for the three vulnerable AJAX actions and flag any view parameter that contains traversal characters, null bytes, or references to system files like wp-config.php.
- Monitor PHP process telemetry for include or require calls resolving to paths under wp-content/uploads/ or other non-template directories.
- Correlate WordPress access logs with file integrity monitoring to detect new or modified PHP files following AJAX activity.
Monitoring Recommendations
- Enable verbose logging on admin-ajax.php and forward logs to a centralized analytics platform for retrospective hunting.
- Alert on any HTTP 200 response from the affected AJAX actions when the request originates from outside expected geographies or user-agent profiles.
- Track file creation events in WordPress upload directories and validate MIME types against file content rather than extension alone.
How to Mitigate CVE-2025-4200
Immediate Actions Required
- Disable or remove the Zagg theme from any production WordPress installation running version 1.4.1 or earlier until a patched release is installed.
- Restrict access to wp-admin/admin-ajax.php at the web application firewall layer for the load_more_post, load_shop, and load_more_product actions.
- Audit wp-content/uploads/ and other writable directories for unauthorized PHP files and remove any artifacts of exploitation.
Patch Information
At the time of NVD publication, no fixed version is listed beyond 1.4.1. Administrators should consult the ThemeForest product page and the Wordfence Vulnerability Report for the latest vendor guidance and apply any updated theme release as soon as it becomes available.
Workarounds
- Deploy WAF rules that block requests to admin-ajax.php containing path traversal sequences in the view parameter.
- Configure PHP open_basedir to restrict file inclusion to the WordPress installation directory, limiting the impact of successful LFI attempts.
- Disable PHP execution within wp-content/uploads/ via web server configuration to prevent uploaded files from being executed as code.
# Apache: block PHP execution in uploads directory
<Directory "/var/www/html/wp-content/uploads">
<FilesMatch "\.(php|phtml|phar)$">
Require all denied
</FilesMatch>
</Directory>
# Nginx equivalent
location ~* /wp-content/uploads/.*\.(php|phtml|phar)$ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
