CVE-2025-8905 – Inpersttion For Theme <= 1.0 - Authenticated (Contributor+) Arbitrary Function Call

https://notcve.org/view.php?id=CVE-2025-8905

14 Aug 2025 — The Inpersttion For Theme plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0 via the theme_section_shortcode() function. This is due to the plugin not restricting what functions can be called. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server which is limited to arbitrary functions without any user supplied parameters. • https://www.wordfence.com/threat-intel/vulnerabilities/id/cd4dc8ab-792b-41ff-a7b9-77a11c02d91b?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •