CVE-2025-68905 HIGH

CVE-2025-68905: WordPress JNews - Pay Writer plugin <= 11.0.0 - Local File Inclusion vulnerability

Vendor Jegtheme

Product JNews - Pay Writer

Weakness CWE-98 · PHP file inclusion

Published January 22, 2026

Last update April 28, 2026

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jegtheme JNews - Pay Writer jnews-pay-writer allows PHP Local File Inclusion.This issue affects JNews - Pay Writer: from n/a through <= 11.0.0.

Explanation of Vulnerability in Simple Terms

02Summary

JNews - Pay Writer versions up to 11.0.0 contain a code injection vulnerability that allows authenticated users with low privileges to execute arbitrary code on the site. The vulnerability requires high attack complexity but grants full control over site data and operations. Site administrators should update immediately to a patched version.

What an attacker can do

03Attacker Capabilities

Run arbitrary code on the site, read/modify all data, and take full control of the WordPress installation.

Potential impact on your site

04Site Impact

Any low-privilege user account can compromise the entire site, steal data, inject malware, or lock out administrators.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege authenticated account (e.g., contributor or author role).

Key dates

06Disclosure timeline

January 22, 2026 CVE published

April 28, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-68905 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/98.html

Related vulnerabilities