Plugin Name	Extensive VC Addons for WPBakery page builder
Type of Vulnerability	Local File Inclusion (LFI)
CVE Number	CVE-2025-14475
Urgency	High
CVE Publish Date	2026-02-10
Source URL	CVE-2025-14475

Critical Local File Inclusion Vulnerability in “Extensive VC Addons for WPBakery page builder” (≤ 1.9.1) — Essential Actions for Site Owners

On February 10, 2026, a high-severity security flaw (CVE-2025-14475) was disclosed affecting versions up to and including 1.9.1 of the “Extensive VC Addons for WPBakery page builder” WordPress plugin. This unauthenticated Local File Inclusion (LFI) vulnerability, with a CVSS score of 8.1, enables remote attackers to access local files on vulnerable servers — a risk that demands immediate mitigation to protect your business and website visitors.

In the following analysis, Managed-WP breaks down what this vulnerability entails, how it might be exploited, detection strategies, and the practical steps required to mitigate risk promptly and effectively.

Note: This technical advisory is provided from the perspective of Managed-WP, a leading US-based WordPress security expert. Our goal is to equip administrators and developers with actionable intelligence without sharing exploit details that might aid malicious actors.

---

Executive Summary

• Vulnerability: Unauthenticated Local File Inclusion (LFI) via the plugin’s handling of the shortcode_name parameter.
• Affected Versions: Extensive VC Addons for WPBakery page builder ≤ 1.9.1.
• CVE Identifier: CVE-2025-14475
• Severity: High (CVSS 8.1)
• Risk Impact: Exposure of server files (including wp-config.php), possible credential leakage, and, depending on server configurations, escalation to remote code execution (RCE) and full site takeover.
• Immediate Recommendations: Disable or remove the plugin, apply Web Application Firewall (WAF) rules or virtual patches, rotate credentials if compromise is suspected, scrutinize logs, and scan for unauthorized backdoors.

---

Understanding Local File Inclusion (LFI) and Its Security Implications

LFI vulnerabilities allow attackers to trick a web application into loading files from the server’s local filesystem. The consequences of such exploitation include:

• Exposure of sensitive files like wp-config.php, private keys, environment configurations, and logs containing credentials.
• Chaining with other vulnerabilities (e.g., unsafe file uploads, deserialization flaws) to execute arbitrary code.
• Using compromised sites as pivot points for further intrusions into internal networks.

These risks are particularly acute when the vulnerability is unauthenticated, permitting any remote attacker to exploit it freely, especially if the WordPress environment runs with overly permissive file access rights.

---

How This Vulnerability Operates

The root cause lies in how the plugin processes the shortcode_name parameter—an input that controls which files get loaded. Normally, input should be strictly validated against a whitelist to avoid risky file inclusions. Due to insufficient sanitization, malicious attackers can manipulate this parameter to force the plugin to include arbitrary local files.

Important Note: Managed-WP refrains from publishing exploit payloads. Our focus is defensive—helping you detect, prevent, and remediate.

---

Who is Impacted?

• Any WordPress installation running Extensive VC Addons for WPBakery page builder version 1.9.1 or earlier.
• Sites that have deactivated but not removed the plugin may still be at risk depending on setup—complete removal is advised unless confirmed otherwise.
• Even sites with the plugin files present on disk but inactive should audit for residual vulnerabilities.

---

Potential Attack Vectors

Attackers often perform automated scans targeting vulnerable sites by sending crafted HTTP requests containing the vulnerable shortcode_name parameter with attempt to traverse directories or access sensitive files.

Given this is unauthenticated, these scans and attacks are expected to escalate rapidly following the public disclosure. The exploitation simplicity varies by server environment but the risk remains substantial.

---

Immediate Defensive Actions

1. Comprehensive Plugin Inventory:
   • Identify all sites where this plugin is installed by scanning plugin directories (wp-content/plugins/extensive-vc-addon).
   • Centralize and automate discovery for environments managing multiple WordPress instances.
2. Plugin Deactivation or Removal:
   • Deactivate the plugin immediately if your site functionality allows.
   • If possible, completely remove the plugin files from the installation.
3. Implement WAF Rules or Virtual Patching:
   • Block requests containing suspicious shortcode_name parameter values indicative of directory traversal or file references.
   • Ensure your firewall or security plugin is configured to detect and prevent LFI patterns related to this vulnerability.
4. Harden File System Permissions:
   • Restrict PHP execution within writable directories (wp-content/uploads, etc.).
   • Maintain strict read/write permissions – PHP should not have unnecessary access rights.
5. Monitoring and Forensic Review:
   • Analyze server and WAF logs for anomalous shortcode_name parameter usage or directory traversal patterns.
   • Run site integrity scans for suspicious or new PHP files and changed core/plugin/theme files.
6. Credential Rotation:
   • If compromise is suspected, immediately rotate database credentials, WordPress security salts, API keys, and reset administrative passwords.
7. Await and Apply Official Plugin Updates:
   • Track the plugin vendor’s communications for official patches and apply verified updates promptly.
   • Maintain protective controls until patches are applied fleet-wide.

---

Detecting Exploitation and Indicators of Compromise

Monitoring your environment is critical to quickly identify attempts or successful exploitations:

• Check web server logs for suspicious query strings containing shortcode_name with directory traversal characters (../ or encoded variants).
• Review WAF logs for matched signatures or blocks related to this parameter.
• Inspect WordPress debug logs for unusual errors or warnings triggered by file inclusion attempts.
• Audit filesystem for unexpected PHP files in writable directories or newly altered files.

Example searches to identify suspicious activity:

grep -i "shortcode_name" /var/log/nginx/access.log*

grep -iE "%2e%2e|../|wp-config.php|.env" /var/log/apache2/access.log

---

Mitigating with a Web Application Firewall

Implementing WAF rules is one of the fastest methods to reduce exposure:

1. Block Malicious Parameter Values: Filter requests where shortcode_name includes directory traversal patterns (../, %2e%2e), references to sensitive files like wp-config.php, or file extensions like .php.
2. Whitelist Expected Values: Where possible, restrict shortcode_name to an enumerated list of allowed shortcodes.
3. Limit HTTP Methods: Allow only necessary HTTP methods on plugin endpoints to reduce attack surface.
4. Use Rate Limiting and IP Reputation Controls: Block or throttle suspicious IP addresses and bursts of requests to plugin URLs.
5. Apply Virtual Patching: Define security rules that intercept exploit patterns until official patches are deployed.

Example conceptual WAF rule:

IF request contains parameter shortcode_name AND its value matches (\.\./|%2e%2e|wp-config\.php|\.env|%00|\.php) THEN block request.

Note: Testing these rules in a staging environment is critical to avoid disrupting legitimate site functionality.

---

Patching and Long-Term Remediation Strategies

• Stay current with official plugin releases and promptly deploy security updates fixing CVE-2025-14475.
• If no official fix is available, maintain WAF mitigations or consider removing the plugin.
• Evaluate alternative plugins with proven security records if the vendor’s response is delayed or inadequate.

---

Incident Response Recommendations

If you suspect a compromise:

• Isolate the site (maintenance mode, restrict external access).
• Gather forensic data: server logs, file system snapshots, database exports.
• Restore from clean backups where possible.
• Rotate all critical credentials (database, WordPress salts, API keys).
• Clean or reinstall WordPress core, themes, and plugins from trusted sources.
• Harden environment settings (permissions, disable PHP in upload directories, remove unused plugins/themes).
• Monitor closely for re-infection for at least 3 months.

---

Secure Development Recommendations for Plugin Authors

• Avoid using user input directly in include or require statements without strict sanitation.
• Implement whitelisting of filenames or shortcodes via a controlled mapping.
• Use functions like realpath to validate resolved file paths lie within expected directories.
• Reject inputs containing traversal sequences (..) or null_bytes.
• Add comprehensive unit and integration testing for input handling.
• Employ static analysis, dependency scanning, and rigorous code review workflows.

---

General WordPress Hardening Guidelines

• Keep WordPress core, plugins, and themes updated.
• Remove plugins and themes not actively in use.
• Enforce least privilege for file system and database access.
• Disable file editing in the dashboard via define('DISALLOW_FILE_EDIT', true);.
• Implement file integrity monitoring solutions.
• Prevent PHP execution in uploads and other writable directories using server rules.
• Use strong, unique passwords and enable multi-factor authentication (MFA) on admin accounts.
• Maintain regular offline backups and test restores.

---

How Managed-WP Defends Your WordPress Sites

Managed-WP offers comprehensive security services designed to mitigate this and similar vulnerabilities:

• Instant Virtual Patching: Deploy custom WAF rules blocking exploitation attempts, minimizing risk until official fixes are applied.
• Continuous Malware Scanning: Detect and alert on suspicious modifications or unauthorized files across your sites.
• Detailed Logging and Analytics: Monitor threats with granular request logging and forensic support.
• OWASP Top 10 Protections: Defend against common categories including LFI, RCE, and injection flaws.
• Guided Remediation: Receive customized alerts and expert guidance for immediate and long-term risk reduction.

For organizations managing multiple WordPress installations, Managed-WP’s automated virtual patching significantly reduces the window of exposure compared to manual patch rollouts.

---

Start with Managed-WP’s Free Protection

Protect Your Site Now with Our Free Plan

Managed-WP’s Free plan offers critical baseline protections, including managed firewall rules, WAF coverage, malware scanning, and mitigation against OWASP Top 10 risks—ideal for quickly reducing immediate threat vectors while you coordinate deeper remediation.

Sign up in minutes to lock down your WordPress sites:
https://managed-wp.com/free-plan

Advanced plans provide automated malware removal, IP reputation management, monthly security reporting, and hands-on incident response support for more comprehensive defense.

---

Frequently Asked Questions

Q: My site runs the affected plugin but shows no issues. Do I still need to act?
A: Absolutely. LFI exploits often leave no immediate visible signs. If your plugin version is ≤ 1.9.1, follow all mitigation steps promptly to prevent compromise.

Q: Will a WAF alone fully protect me?
A: A well-tuned WAF dramatically reduces risk by blocking exploit attempts early. However, it is a mitigation, not a permanent fix. Applying vendor patches remains essential for complete security.

Q: What if disabling the plugin breaks site functionality?
A: Temporarily enforce WAF rules to block malicious patterns associated with shortcode_name. Use rate limiting and IP filtering to reduce exposure until an official patch can be applied.

---

Final Recommendations

This LFI vulnerability poses a significant threat to the confidentiality and integrity of your WordPress sites. If you use Extensive VC Addons for WPBakery page builder version 1.9.1 or earlier, immediately:

1. Identify all affected sites under your control.
2. Deactivate or uninstall the vulnerable plugin wherever feasible.
3. Deploy WAF rules or virtual patches to block exploitation attempts immediately.
4. Continuously monitor logs and scan for signs of data leakage or compromise.
5. Rotate credentials and conduct a full incident response if you detect compromise.
6. Apply official plugin updates promptly once released and tested.

Managed-WP is ready to help safeguard your portfolio with managed virtual patching, continuous monitoring, and expert remediation. Our Free plan is an ideal starting point:

https://managed-wp.com/free-plan

Stay vigilant. The fastest mitigations mean the difference between thwarting an attack and enduring a damaging breach.

— Managed-WP Security Team

---

Additional References

• CVE-2025-14475 Public Advisory — official vulnerability details and timelines.
• OWASP Top 10 — foundational guidance on injection and file inclusion vulnerabilities.
• WordPress Hardening Documentation — security best practices for WordPress administrators.

---

Take Proactive Action — Secure Your Site with Managed-WP

Don’t risk your business or reputation due to overlooked plugin flaws or weak permissions. Managed-WP provides robust Web Application Firewall (WAF) protection, tailored vulnerability response, and hands-on remediation for WordPress security that goes far beyond standard hosting services.

Exclusive Offer for Blog Readers:
Access our MWPv1r1 protection plan—industry-grade security starting from just USD20/month.

• Automated virtual patching and advanced role-based traffic filtering
• Personalized onboarding and step-by-step site security checklist
• Real-time monitoring, incident alerts, and priority remediation support
• Actionable best-practice guides for secrets management and role hardening

Get Started Easily — Secure Your Site for USD20/month:
Protect My Site with Managed-WP MWPv1r1 Plan

Why trust Managed-WP?

• Immediate coverage against newly discovered plugin and theme vulnerabilities
• Custom WAF rules and instant virtual patching for high-risk scenarios
• Concierge onboarding, expert remediation, and best-practice advice whenever you need it

Don’t wait for the next security breach. Safeguard your WordPress site and reputation with Managed-WP—the choice for businesses serious about security.
Click above to start your protection today (MWPv1r1 plan, USD20/month).