CVE-2025-24605
Published: 03 February 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-24605 is an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability, classified as CWE-22, in the RealMag777 WOLF bulk-editor WordPress plugin. This issue affects WOLF versions from n/a through 1.0.8.5, enabling attackers to traverse path restrictions and access files outside intended directories.
The vulnerability carries a CVSS v3.1 base score of 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N), indicating network accessibility with low attack complexity but requiring high privileges, such as administrative access. An authenticated attacker with sufficient permissions can exploit it to achieve high-impact confidentiality violations, such as reading sensitive files, without affecting integrity or availability.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/bulk-editor/vulnerability/wordpress-wolf-plugin-1-0-8-5-path-traversal-vulnerability?_s_id=cve documents the path traversal issue in WOLF plugin version 1.0.8.5 and provides details relevant to mitigation for affected WordPress installations.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The path traversal vulnerability directly enables reading sensitive files on the local system by bypassing directory restrictions, mapping to T1005: Data from Local System.