How to fix EUVD-2025-18333?

Within 24 hours: Identify all WordPress installations using the Zagg theme and disable the affected AJAX actions ('load_more_post', 'load_shop', 'load_more_product') via code modification or Web Application Firewall rules. Within 7 days: Audit server logs for exploitation attempts and verify no unauthorized file uploads or code execution occurred. Within 30 days: Switch to an alternative, actively maintained WooCommerce theme or wait for vendor patch release and immediately apply upon availability.

Is PHP affected by EUVD-2025-18333?

A critical vulnerability in the Zagg WooCommerce WordPress theme allows unauthenticated attackers to execute arbitrary code on affected web servers by exploiting file inclusion flaws in AJAX functions.

EUVD-2025-18333

| CVE-2025-4200 HIGH

2025-06-14 [email protected]

8.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 21:53 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 21:53 euvd

EUVD-2025-18333

CVE Published

Jun 14, 2025 - 09:15 nvd

HIGH 8.1

Description

The Zagg - Electronics & Accessories WooCommerce WordPress Theme theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.1 via the load_view() function that is called via at least three AJAX actions: 'load_more_post', 'load_shop', and 'load_more_product. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Analysis

A remote code execution vulnerability in all (CVSS 8.1). High severity vulnerability requiring prompt remediation.

Technical Context

CWE-98 (PHP Remote File Inclusion). CVSS 8.1 indicates high severity. Affects all.

Affected Products

['all']

Remediation

Monitor vendor channels for patch availability.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.4

CVSS: +40

POC: 0

EUVD-2025-18333 vulnerability details – vuln.today

Back

EUVD-2025-18333

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

EUVD-2025-18333

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code