What the vulnerability does
01Description
The Premium Age Verification / Restriction for WordPress plugin for WordPress is vulnerable to arbitrary file read and write due to the existence of an insufficiently protected remote support functionality in remote_tunnel.php in all versions up to, and including, 3.0.2. This makes it possible for unauthenticated attackers to read from or write to arbitrary files on the affected site's server which may make the exposure of sensitive information or remote code execution possible.
Explanation of Vulnerability in Simple Terms
02Summary
The Premium Age Verification / Restriction plugin for WordPress versions 3.0.2 and earlier contains a hardcoded credential vulnerability. An attacker can use embedded credentials to gain unauthorized access to the plugin's functionality without authentication. This allows full control over the plugin's features and potentially the site itself. Update immediately to a version newer than 3.0.2.
What an attacker can do
03Attacker Capabilities
Gain unauthorized access to the plugin and execute administrative functions without a valid account.
Potential impact on your site
04Site Impact
Attackers can bypass age verification controls, modify plugin settings, and potentially compromise site security.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
July 11, 2025
CVE published
April 8, 2026
Record updated