{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8905", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-12T19:54:09.748Z", "datePublished": "2025-08-15T08:25:41.084Z", "dateUpdated": "2026-04-08T17:24:03.908Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:24:03.908Z"}, "affected": [{"vendor": "inpersttion", "product": "Inpersttion For Theme", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Inpersttion For Theme plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0 via the theme_section_shortcode() function. This is due to the plugin not restricting what functions can be called. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server which is limited to arbitrary functions without any user supplied parameters."}], "title": "Inpersttion For Theme <= 1.0 - Authenticated (Contributor+) Arbitrary Function Call", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cd4dc8ab-792b-41ff-a7b9-77a11c02d91b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/err-our-team/trunk/inc/inpersttion-for-shortcode.php#L8"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "cweId": "CWE-94", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "timeline": [{"time": "2025-08-14T20:16:19.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-15T16:07:39.480004Z", "id": "CVE-2025-8905", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-15T16:07:46.703Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8905", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-15T16:07:39.480004Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-15T16:07:43.274Z"}}], "cna": {"title": "Inpersttion For Theme <= 1.0 - Authenticated (Contributor+) Arbitrary Function Call", "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"}}], "affected": [{"vendor": "inpersttion", "product": "Inpersttion For Theme", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-14T20:16:19.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cd4dc8ab-792b-41ff-a7b9-77a11c02d91b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/err-our-team/trunk/inc/inpersttion-for-shortcode.php#L8"}], "descriptions": [{"lang": "en", "value": "The Inpersttion For Theme plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0 via the theme_section_shortcode() function. This is due to the plugin not restricting what functions can be called. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server which is limited to arbitrary functions without any user supplied parameters."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-08-15T08:25:41.084Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8905", "state": "PUBLISHED", "dateUpdated": "2025-08-15T16:07:46.703Z", "dateReserved": "2025-08-12T19:54:09.748Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-08-15T08:25:41.084Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Inpersttion For Theme plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0 via the theme_section_shortcode() function. This is due to the plugin not restricting what functions can be called. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server which is limited to arbitrary functions without any user supplied parameters."}, {"lang": "es", "value": "El complemento Inpersttion For Theme para WordPress es vulnerable a la ejecuci\u00f3n remota de c\u00f3digo en todas las versiones hasta la 1.0 incluida, a trav\u00e9s de la funci\u00f3n theme_section_shortcode(). Esto se debe a que el complemento no restringe las funciones que se pueden llamar. Esto permite que atacantes autenticados, con acceso de colaborador o superior, ejecuten c\u00f3digo en el servidor, limitado a funciones arbitrarias sin par\u00e1metros proporcionados por el usuario."}], "id": "CVE-2025-8905", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-08-15T09:15:31.520", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/err-our-team/trunk/inc/inpersttion-for-shortcode.php#L8"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cd4dc8ab-792b-41ff-a7b9-77a11c02d91b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T19:56:10.917678+00:00", "value": {"mitigation_remediation": ["Upgrade the Inpersttion For Theme plugin to the most recent release that removes the arbitrary function call vulnerability, or uninstall the plugin if it is no longer needed.", "If an update is unavailable, modify the plugin\u2019s theme_section_shortcode function to restrict callable functions or disable the shortcode entirely via a custom plugin or functions.php tweak.", "Revoke Contributor or higher\u2011privileged accounts from users who do not require them, ensuring only trusted administrators retain the ability to use the shortcode on the site."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WordPress installations that include the Inpersttion For Theme plugin, versions 1.0 and earlier. The plugin is distributed under the vendor identifier inpersttion:Inpersttion For Theme. Any site running these versions and permitting Contributor\u2011level accounts is vulnerable.", "description_and_impact": "The Inpersttion For Theme plugin for WordPress contains a flaw in the theme_section_shortcode() routine that fails to limit the functions an authenticated user can invoke. The flaw allows a logged\u2011in Contributor or higher to request any PHP function that the server can call, potentially without parameters, giving full code execution capability on the host. The vulnerability is recorded with a CVSS score of 6.3, indicating moderate severity for the affected platform.", "risk_and_exploitability": "The CVSS score of 6.3 reflects the potential impact of remote code execution once an attacker gains sufficient privileges. The EPSS score of less than 1% indicates the likelihood of exploitation is very low at present, and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires a valid Contributor account or higher on the target WordPress site; attackers do not need to bypass authentication. Once authenticated, the attacker can trigger the flaw by invoking the shortcode, leading to code execution without any supplied parameters."}}}}, "created": "2025-08-16T21:40:54.544785+00:00", "updated": "2026-04-20T20:00:10.527892+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}