CVE-2025-23819
Published: 03 February 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-23819 is an Improper Limitation of a Pathname to a Restricted Directory vulnerability, classified under CWE-22, that enables Absolute Path Traversal in the WP Cloud plugin developed by Marco Milesi. This flaw affects the WP Cloud plugin in all versions from n/a through 1.4.3, as published on 2025-02-03.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it can be exploited over the network by unauthenticated attackers with low attack complexity and no user interaction required. Successful exploitation allows attackers to achieve high confidentiality impact by traversing paths to access restricted files outside the intended directory.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/cloud/vulnerability/wordpress-wp-cloud-plugin-1-4-3-arbitrary-file-deletion-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Path traversal in public-facing WordPress plugin enables remote unauthenticated file read (T1190 for initial exploitation of public app; T1005 for collecting data from local system files).