CVE-2025-15368

HIGH

WordPress SportsPress <= 2.7.26 - Contributor Local File Inclusion Code Execution

Title source: manual

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-15368. PoCs published by XiaomingX, kazehere4you.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2025-15368, targeting SportsPress plugin versions <= 2.7.26. The exploit chains Local File Inclusion (LFI) to achieve Remote Code Execution (RCE) by leveraging WordPress shortcode injection and file traversal techniques.

Description

The SportsPress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.7.26 via shortcodes 'template_name' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2025/CVE-2025-15368

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2025-15368, targeting SportsPress plugin versions <= 2.7.26. The exploit chains Local File Inclusion (LFI) to achieve Remote Code Execution (RCE) by leveraging WordPress shortcode injection and file traversal techniques.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: SportsPress WordPress Plugin <= 2.7.26

Auth required

Prerequisites: WordPress installation with SportsPress plugin <= 2.7.26 · Valid WordPress credentials with sufficient privileges

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC

by kazehere4you · poc

https://github.com/kazehere4you/CVE-2025-15368-Exploit

View Code ZIP pw:eip

This is a functional exploit for CVE-2025-15368, targeting a Local File Inclusion (LFI) vulnerability in SportsPress plugin <= 2.7.26, which can be chained to achieve Remote Code Execution (RCE). The exploit includes authentication handling, nonce retrieval, and file traversal techniques.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: SportsPress plugin <= 2.7.26

Auth required

Prerequisites: Valid WordPress credentials · SportsPress plugin <= 2.7.26 installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1210 - Exploitation of Remote Services

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3451661%40sportspress&new=3451661%40sportspress&sfp_email=&sfph_mail=

Product

https://plugins.trac.wordpress.org/browser/sportspress/tags/2.7.26/includes/class-sp-shortcodes.php#L182

Product

https://plugins.trac.wordpress.org/browser/sportspress/tags/2.7.26/includes/class-sp-shortcodes.php#L32

Product

https://plugins.trac.wordpress.org/browser/sportspress/tags/2.7.26/includes/sp-core-functions.php#L68

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/27e40af7-5697-4482-a96d-9216886c363b?source=cve

Scores

CVSS v3 8.8

EPSS 0.0075

EPSS Percentile 50.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-98

Status published

Products (1)

themeboy/SportsPress – Sports Club & League Manager < 2.7.26

Published Feb 04, 2026

Tracked Since Feb 18, 2026