CVE-2025-8905 MEDIUM

CVE-2025-8905: Inpersttion For Theme <= 1.0 - Authenticated (Contributor+) Arbitrary Function Call

Vendor Inpersttion
Product Inpersttion For Theme
Weakness CWE-94 · Code injection
Published August 15, 2025
Last update April 8, 2026

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

The Inpersttion For Theme plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0 via the theme_section_shortcode() function. This is due to the plugin not restricting what functions can be called. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server which is limited to arbitrary functions without any user supplied parameters.

Explanation of Vulnerability in Simple Terms

02Summary

Inpersttion For Theme versions 1.0 and earlier contain a code injection vulnerability. An attacker with low-level site access can inject and execute arbitrary code through the theme, potentially compromising site integrity and confidentiality. The vulnerability requires valid user credentials but no additional user interaction to exploit.

What an attacker can do

03Attacker Capabilities

Inject and run arbitrary code on the site with the privileges of the authenticated user.

Potential impact on your site

04Site Impact

A compromised user account can be leveraged to inject malicious code, affecting site data and functionality.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site (e.g., subscriber or contributor role).

Key dates

06Disclosure timeline

August 15, 2025 CVE published
April 8, 2026 Record updated