CVE-2025-23422

CVE-2025-23422 is an Improper Limitation of a Pathname to a Restricted Directory vulnerability, classified under CWE-22 (Path Traversal), in the moaluko Store Locator WordPress plugin (store-locator). This flaw allows PHP Local File Inclusion and affects all versions from n/a through 3.98.10. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact despite requiring user interaction and high attack complexity.

An unauthenticated remote attacker can exploit this vulnerability over the network by tricking a user into performing an action, such as interacting with a maliciously crafted request. Successful exploitation enables PHP Local File Inclusion, potentially allowing the attacker to access or include arbitrary local files on the server, resulting in high impacts to confidentiality, integrity, and availability.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/store-locator/vulnerability/wordpress-store-locator-plugin-3-98-10-local-file-inclusion-vulnerability?_s_id=cve. Security practitioners should update to a patched version if available and review plugin configurations for path handling.