Cyber Posture

CVE-2025-14388

Critical

Published: 23 December 2025

Published
23 December 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 32.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in `getExtensionForURL()` which operates on URL-decoded…

more

paths, and `appendNormalized()` which strips everything after a null byte before constructing the filesystem path. This makes it possible for unauthenticated attackers to read arbitrary files from the webroot, including wp-config.php, by appending a double URL-encoded null byte (%2500) followed by an allowed extension (.txt) to the file path.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of information inputs like URL-decoded paths, directly preventing null byte injection that bypasses extension checks in the PhastPress plugin.

SI-2 Flaw Remediation good match
prevent

Ensures timely identification, reporting, and correction of flaws such as this arbitrary file read vulnerability by updating the PhastPress plugin beyond version 3.7.

AU-13 Monitoring for Information Disclosure partial match
detect

Monitors for events indicative of information disclosure, such as unauthorized access to sensitive files like wp-config.php via the exploited null byte injection.

Security SummaryAI

CVE-2025-14388 is an unauthenticated arbitrary file read vulnerability in the PhastPress plugin for WordPress, affecting all versions up to and including 3.7. The issue arises from a discrepancy in path handling: the getExtensionForURL() function performs extension validation on URL-decoded paths, while appendNormalized() strips everything after a null byte before constructing the filesystem path. This allows null byte injection, classified under CWE-158 (Improper Neutralization of Null Byte or NUL Character), with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction or privileges required. By appending a double URL-encoded null byte (%2500) followed by an allowed extension such as .txt to a target file path, they can bypass extension checks and read arbitrary files from the webroot, including sensitive files like wp-config.php.

References provided include code locations in the plugin's phast.php file (lines 9570, 9597, 9608, and 9641 in tag 3.6) and changeset 3418139 at the WordPress plugins trac repository, which highlight the vulnerable functions and likely indicate the applied fix. Mitigation requires updating the PhastPress plugin to a version beyond 3.7.

Details

CWE(s)
CWE-158

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
attack.mitre.org →
Why these techniques?

Unauthenticated arbitrary file read vulnerability in public-facing WordPress plugin enables exploitation of public-facing application (T1190) and facilitates access to credentials in files like wp-config.php (T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References