Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated HTTP endpoint (AV:N/AC:L/PR:N/UI:N); arbitrary file read yields high confidentiality impact but no integrity or availability impact, scope unchanged.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Arbitrary File Download in Premium Age Verification / Restriction for WordPress <= 3.0.2 versions.
AnalysisAI
Unauthenticated arbitrary file download in the Premium Age Verification / Restriction for WordPress plugin (versions ≤ 3.0.2) allows remote attackers to retrieve arbitrary files from the underlying server without any credentials or user interaction. The CVSS 3.1 score of 7.5 reflects high confidentiality impact with no integrity or availability impact, consistent with file disclosure rather than code execution. There is no public exploit identified at time of analysis and the issue is not present in CISA KEV, but Patchstack has confirmed the flaw against a default plugin installation.
Technical ContextAI
The affected component is the AA-Team 'Premium Age Verification / Restriction for WordPress' plugin (CPE cpe:2.3:a:aa-team:premium_age_verification_/_restriction_for_wordpress), a commercial WordPress plugin that gates content behind an age-gate prompt. CWE-98 categorises this class as improper control of a filename used in a PHP include/require statement, which in practice means an attacker-controlled parameter is passed into a file-handling function. The tag set (LFI, Information Disclosure, PHP) and the 'Arbitrary File Download' description together indicate that a request parameter is reflected into a file path that the plugin then opens and streams back to the client, rather than executed as PHP - making this a file disclosure rather than full RFI/LFI-to-RCE primitive. Because the endpoint is reachable pre-authentication, the WordPress role/capability model offers no protection.
RemediationAI
No vendor-released patch identified at time of analysis - the Patchstack record covers versions ≤ 3.0.2 but the input does not name a fixed release, so administrators should consult the advisory at https://patchstack.com/database/wordpress/plugin/age-restriction/vulnerability/wordpress-premium-age-verification-restriction-for-wordpress-plugin-3-0-2-arbitrary-file-download-vulnerability and upgrade to a vendor-released version newer than 3.0.2 if one has since been published. Until a fix is confirmed, deactivate and remove the plugin (the cleanest mitigation, at the cost of losing the age-gate functionality) or place a WAF/Patchstack mitigation rule in front of WordPress to block requests carrying suspicious file-path parameters to the plugin's endpoints - note this can break legitimate plugin AJAX calls if the rule is too broad. As a defence-in-depth step, rotate any secrets that may have been exposed in wp-config.php (database password, AUTH_KEY/SECURE_AUTH_KEY salts) on any internet-facing site that has run vulnerable versions.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-98 – PHP Remote File Inclusion
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210217