CVE-2025-12824

Name of the Vulnerable Software and Affected Versions Player Leaderboard plugin for WordPress versions up to and including 1.0.2

Description The Player Leaderboard plugin for WordPress is susceptible to Local File Inclusion through the 'player leaderboard' shortcode. The issue stems from the plugin utilizing an unsanitized value from the 'mode' attribute within the shortcode in conjunction with the include() function, lacking adequate path validation. This allows authenticated attackers with Contributor-level access or higher to include and execute arbitrary PHP files on the server. Successful exploitation could lead to bypassing access controls, obtaining sensitive data, or achieving full remote code execution, particularly if file upload functionality is also available. The vulnerable parameter is mode.

Recommendations Versions prior to 1.0.3 should be updated.