CVE-2025-11722: 
WordPress vulnerability analysis and mitigation

The vulnerability identified as CVE-2025-11722 affects the Woocommerce Category and Products Accordion Panel plugin for WordPress in all versions up to and including 1.0. The vulnerability was discovered by Muhammad Yudha - DJ and was publicly disclosed on October 14, 2025. This security flaw is classified as a Local File Inclusion vulnerability, which affects the plugin's 'categoryaccordionpanel' shortcode functionality (NVD, Wordfence Intel).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The security flaw is categorized under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). The vulnerability specifically involves the 'categoryaccordionpanel' shortcode, which fails to properly validate file inclusions (NVD).

The vulnerability allows authenticated attackers with Contributor-level access or higher to include and execute arbitrary .php files on the server. This can lead to the execution of any PHP code contained within those files. The impact includes potential bypass of access controls, unauthorized access to sensitive data, and possible code execution if .php file types can be uploaded and included on the target system (NVD).