Platform
wordpress
Component
age-gate
Fixed in
3.5.4
CVE-2025-2505 describes a critical Local PHP File Inclusion (LFI) vulnerability discovered in the Age Gate plugin for WordPress. This flaw allows unauthenticated attackers to include and execute arbitrary PHP files on the server, potentially leading to complete system compromise. The vulnerability affects versions from 0.0.0 up to and including 3.5.3, and a patch is available in version 3.5.4.
The impact of this vulnerability is severe. An attacker can leverage the 'lang' parameter to include and execute malicious PHP code. This could involve uploading a seemingly harmless file (like an image) and then including it via the LFI vulnerability. Successful exploitation allows attackers to bypass access controls, steal sensitive data stored on the server (database credentials, configuration files), and ultimately achieve remote code execution. The attacker effectively gains control over the WordPress instance and potentially the underlying server. This is akin to a remote code execution (RCE) vulnerability, albeit requiring local file upload as a prerequisite.
This vulnerability was publicly disclosed on March 20, 2025. While no active exploitation campaigns have been publicly confirmed, the critical severity and ease of exploitation make it a high-priority target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
2.01% (84% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the Age Gate plugin to version 3.5.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting file uploads to only explicitly allowed file types. Implement strict input validation on the 'lang' parameter to prevent malicious file inclusions. Web Application Firewalls (WAFs) configured to detect and block attempts to include arbitrary files can provide an additional layer of defense. Monitor WordPress logs for unusual file inclusion attempts, specifically targeting the 'lang' parameter. A YARA rule could be created to detect the presence of malicious PHP files uploaded via this vulnerability.
Update the Age Gate plugin to version 3.5.4 or higher to mitigate the PHP File Inclusion vulnerability. This update corrects how the 'lang' parameter is handled, preventing the inclusion of arbitrary files.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-2505 is a critical Local PHP File Inclusion vulnerability affecting the Age Gate WordPress plugin, allowing attackers to execute arbitrary code.
You are affected if you are using Age Gate plugin versions 0.0.0 through 3.5.3. Check your plugin version immediately.
Upgrade the Age Gate plugin to version 3.5.4 or later to resolve the vulnerability. Consider temporary mitigations if immediate upgrade is not possible.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation make it a high-priority target.
Check the Age Gate plugin's official website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.