How to fix CVE-2025-15368?

Within 24 hours: Inventory all WordPress installations using SportsPress plugin and document affected versions. Within 7 days: Implement either plugin removal, disable shortcode functionality via code modifications, or deploy WAF rules blocking malicious shortcode patterns. Within 30 days: Evaluate alternative plugins, conduct security audit of affected systems for exploitation indicators, and establish vendor communication protocol for patch notification.

Is PHP affected by CVE-2025-15368?

The SportsPress WordPress plugin contains a critical vulnerability allowing authenticated contributors and above to execute arbitrary PHP code on affected servers.

CVE-2025-15368

HIGH

2026-02-04 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Feb 04, 2026 - 14:16 nvd

HIGH 8.8

Description

The SportsPress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.7.26 via shortcodes 'template_name' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.

Analysis

Technical Context

This vulnerability (CWE-98: PHP Remote File Inclusion) affects SportsPress (WordPress plugin). The SportsPress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.7.26 via shortcodes 'template_name' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be up

Affected Products

Vendor: WordPress. Product: SportsPress (WordPress plugin). Versions: up to 2.7.26.

Remediation

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +44

POC: 0

CVE-2025-15368 vulnerability details – vuln.today

Back

CVE-2025-15368

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-15368

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code