CVE-2025-7650 Overview
CVE-2025-7650 is a Local File Inclusion (LFI) vulnerability affecting the BizCalendar Web plugin for WordPress in all versions up to and including 1.1.0.53. The flaw resides in the bizcalv shortcode, which fails to properly validate file path input before inclusion. Authenticated attackers with Contributor-level access or higher can include and execute arbitrary files on the server. Successful exploitation enables PHP code execution, access control bypass, and disclosure of sensitive data. Where image uploads or other permitted file types are allowed, attackers can chain the LFI with file uploads to achieve remote code execution. The vulnerability is classified under CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program.
Critical Impact
Authenticated Contributor-level users can execute arbitrary PHP code on the underlying WordPress server, leading to full site compromise.
Affected Products
- BizCalendar Web plugin for WordPress, all versions up to and including 1.1.0.53
- WordPress sites with the bizcalv shortcode exposed to Contributor-level or higher users
- WordPress installations permitting authenticated file uploads alongside the vulnerable plugin
Discovery Timeline
- 2025-08-15 - CVE-2025-7650 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-7650
Vulnerability Analysis
The BizCalendar Web plugin registers the bizcalv shortcode to render calendar content within WordPress posts and pages. The shortcode handler accepts a user-controlled parameter that is passed to a PHP file inclusion function without adequate sanitization or allowlisting. As a result, attackers can supply path traversal sequences or absolute paths to load arbitrary files from the WordPress host.
Because WordPress shortcodes are processed server-side when a post is rendered, any user who can create or edit posts containing shortcodes can trigger the inclusion. Contributor accounts, which can submit posts for review but not publish them, are sufficient to reach the vulnerable code path. This significantly lowers the privilege barrier compared to admin-only flaws.
Root Cause
The root cause is improper control of a filename used in a PHP include or require statement, mapped to CWE-98. The shortcode parameter is concatenated into an include path without validating that the resulting file resides within an expected directory or matches an allowlist of permitted template names.
Attack Vector
An attacker with a Contributor or higher account authenticates to WordPress and creates a post containing the bizcalv shortcode with a crafted attribute pointing at an attacker-chosen file. When the post is previewed or rendered, the server includes the target file. If the file is uploaded media containing PHP payloads, the payload executes in the WordPress process. Attackers can also include configuration files, log files, or other sensitive resources to escalate access. Refer to the Wordfence Vulnerability Report for additional technical context.
Detection Methods for CVE-2025-7650
Indicators of Compromise
- Posts or revisions authored by Contributor accounts containing the bizcalv shortcode with unusual file path parameters or traversal sequences such as ../
- New or modified PHP files in wp-content/uploads/ directories
- Unexpected outbound network connections originating from the PHP-FPM or web server process after a post preview
- WordPress audit log entries showing media uploads followed by post creation referencing those uploaded files
Detection Strategies
- Inspect WordPress post and revision content for the bizcalv shortcode and parse its attributes for path traversal patterns or absolute filesystem paths
- Monitor the WordPress uploads directory for files with PHP extensions or polyglot files that contain <?php markers inside image data
- Correlate Contributor-level authentications with subsequent post preview requests to identify abuse of low-privilege accounts
Monitoring Recommendations
- Enable verbose web server access logging and alert on preview=true or shortcode rendering requests followed by file system anomalies
- Track PHP include and require events through application-layer instrumentation where available
- Review installed plugin inventories regularly and flag instances of BizCalendar Web at or below version 1.1.0.53
How to Mitigate CVE-2025-7650
Immediate Actions Required
- Update the BizCalendar Web plugin to a version newer than 1.1.0.53 once the vendor publishes a fixed release, tracked in the WordPress Plugin Changeset
- Audit existing Contributor, Author, and Editor accounts and disable any that are unused or untrusted
- Review posts and revisions for the bizcalv shortcode and remove suspicious entries pending investigation
Patch Information
The vendor changeset is published on the WordPress plugin repository. Administrators should monitor the WordPress BizCalendar Plugin page for an updated release and apply it across all affected sites. Until a patched version is installed, treat all installations at version 1.1.0.53 or earlier as vulnerable.
Workarounds
- Deactivate and remove the BizCalendar Web plugin until a patched version is available
- Restrict post creation privileges so that only fully trusted users hold Contributor-level or higher roles
- Disable PHP execution within the wp-content/uploads/ directory using web server configuration to limit exploitation impact
- Deploy a web application firewall rule that blocks shortcode attributes containing ../, absolute paths, or unexpected file extensions
# Apache configuration to block PHP execution in WordPress uploads
<Directory "/var/www/html/wp-content/uploads">
<FilesMatch "\.(php|phtml|phar|php5|php7)$">
Require all denied
</FilesMatch>
php_admin_flag engine off
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

