How to fix EUVD-2025-21108?

Within 24 hours: Identify all WordPress installations using Premium Age Verification plugin versions up to 3.0.2 and immediately disable or remove the plugin; review server logs for suspicious access to remote_tunnel.php. Within 7 days: Conduct file integrity audit to detect unauthorized changes; assess if sensitive files were accessed or modified; consider engaging incident response if compromise is suspected. Within 30 days: Monitor vendor for patch release; evaluate alternative age verification solutions; implement Web Application Firewall (WAF) rules to block remote_tunnel.php access if plugin cannot be immediately removed.

Is PHP affected by EUVD-2025-21108?

A critical vulnerability in the Premium Age Verification plugin for WordPress (CVE-2025-7401) allows unauthenticated attackers to read and write arbitrary files on affected servers, potentially exposing sensitive data or enabling remote code execution.

EUVD-2025-21108

| CVE-2025-7401 CRITICAL

2025-07-11 [email protected]

9.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 16, 2026 - 08:17 vuln.today

EUVD ID Assigned

Mar 16, 2026 - 08:17 euvd

EUVD-2025-21108

CVE Published

Jul 11, 2025 - 05:15 nvd

CRITICAL 9.8

Description

The Premium Age Verification / Restriction for WordPress plugin for WordPress is vulnerable to arbitrary file read and write due to the existence of an insufficiently protected remote support functionality in remote_tunnel.php in all versions up to, and including, 3.0.2. This makes it possible for unauthenticated attackers to read from or write to arbitrary files on the affected site's server which may make the exposure of sensitive information or remote code execution possible.

Analysis

The Premium Age Verification / Restriction for WordPress plugin contains an insufficiently protected remote support functionality in remote_tunnel.php that allows unauthenticated attackers to read from or write to arbitrary files on affected servers. This critical vulnerability (CVSS 9.8) affects all versions up to and including 3.0.2, potentially enabling sensitive information disclosure or remote code execution without authentication. Given the critical CVSS score and network-accessible attack vector, this vulnerability should be treated as high priority pending confirmation of KEV status and active exploitation.

Technical Context

The vulnerability exists in the remote_tunnel.php file within the Premium Age Verification / Restriction plugin for WordPress. The root cause is classified under CWE-798 (Use of Hard-Coded Credentials) and relates to insufficiently protected remote support functionality. The plugin appears to implement a remote tunnel or support mechanism intended for administrators, but the access controls are inadequate, allowing unauthenticated network-based attackers to bypass authorization checks. This is a classic case of insecure direct object reference (IDOR) or missing authentication in a file operation handler. The vulnerability affects the WordPress plugin ecosystem, where remote_tunnel.php likely handles file I/O operations (read/write) without proper authentication validation or CSRF protection. Attackers can interact with the plugin's endpoints directly via HTTP requests without needing valid WordPress credentials or user accounts.

Affected Products

Premium Age Verification / Restriction for WordPress (All versions up to and including 3.0.2)

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.7

CVSS: +49

POC: 0

EUVD-2025-21108 vulnerability details – vuln.today

Back

EUVD-2025-21108

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

EUVD-2025-21108

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Priority Score

Share

External POC / Exploit Code