CVE-2025-11722: 
WordPress vulnerability analysis and mitigation

The Woocommerce Category and Products Accordion Panel plugin for WordPress contains a Local File Inclusion vulnerability (CVE-2025-11722) affecting all versions up to and including 1.0. The vulnerability was discovered and disclosed on October 15, 2025, by researcher Muhammad Yudha - DJ (NVD Database).

The vulnerability exists in the 'categoryaccordionpanel' shortcode implementation and has been assigned a CVSS v3.1 base score of 7.5 (High). The vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). The technical assessment indicates that authenticated attackers with Contributor-level access or higher can exploit this vulnerability to include and execute arbitrary .php files on the server (Wordfence).

The vulnerability allows attackers to bypass access controls, obtain sensitive data, and potentially achieve code execution in cases where .php file types can be uploaded and included. This poses a significant security risk to affected WordPress installations (NVD Database).

Website administrators running the affected plugin should update to a version newer than 1.0 when available or consider removing the plugin until a patch is released (NVD Database).