CVE-2025-8562

The Custom Query Shortcode plugin for WordPress, up to version 0.4.0, contains a path traversal vulnerability in the 'lens' parameter. The plugin allows users to specify a custom output template via the 'lens' shortcode attribute, which is used to include a template file from the server. The plugin fails to properly sanitize or validate the user-supplied value for this parameter, enabling directory traversal sequences such as '../' to be passed [1][2].

To exploit this vulnerability, an attacker must be authenticated with at least Contributor-level access to the WordPress site. The attacker can then craft a shortcode with a malicious 'lens' value that traverses directories to read arbitrary files on the server. For example, an attacker could be used to read sensitive files like wp-config.php or other system files. The vulnerability is present in all versions up to and including 0.4.0 [1].

Successful exploitation allows an attacker to read the contents of any file on the server that the web server user has access to. This can expose sensitive information such as database credentials, API keys, and other configuration details, potentially leading to further compromise of the site or server [1].

The vulnerability has been addressed in a pull request on the plugin's GitHub repository, which trims '../' sequences and uses sanitize_file_name() to sanitize the 'lens' and 'twig_template' parameters [2]. As of the publication date, users should update to a patched version if available, or apply the provided fixes manually. The plugin may also be removed if no update is released [1][2].