The News and Blog Designer Bundle plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1 via the template paramete…
Published:
13 January 2026 at 23:00:00
Alert date:
14 January 2026 at 11:36:08
Source:
nvd.nist.gov
Web Technologies
The News and Blog Designer Bundle plugin for WordPress contains a Local File Inclusion vulnerability in all versions up to 1.1. The vulnerability exists in the template parameter and allows unauthenticated attackers to include and execute arbitrary PHP files on the server. This can lead to execution of malicious PHP code, bypassing access controls, obtaining sensitive data, or achieving code execution when PHP files can be uploaded and included. The vulnerability affects the plugin's AJAX functionality and poses a high security risk.
Technical details
Mitigation steps:
Affected products:
WordPress News and Blog Designer Bundle plugin
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2025-14502
https://plugins.trac.wordpress.org/browser/news-and-blog-designer-bundle/trunk/includes/class-nbdb-ajax.php#L31
https://www.wordfence.com/threat-intel/vulnerabilities/id/e02683dc-0771-4bd5-bba3-2b5423da1c80?source=cve
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.