CVE-2025-25155
Published: 07 February 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-25155 is an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability, classified as CWE-22, in the efreja Music Sheet Viewer WordPress plugin (music-sheet-viewer). This flaw enables path traversal attacks and affects all versions of the plugin up to and including 4.1.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to network accessibility, low complexity, no required privileges or user interaction, and unchanged scope. Unauthenticated remote attackers can exploit it to achieve high-impact confidentiality violations by reading arbitrary files on the affected server.
Mitigation guidance is available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/music-sheet-viewer/vulnerability/wordpress-music-sheet-viewer-plugin-4-1-arbitrary-file-read-vulnerability?_s_id=cve, which details the arbitrary file read vulnerability in Music Sheet Viewer plugin version 4.1.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The path traversal vulnerability in the public-facing WordPress plugin enables unauthenticated remote exploitation of the application to read arbitrary server files, directly mapping to T1190 (Exploit Public-Facing Application) for initial access and T1005 (Data from Local System) for collection of sensitive data from the local filesystem.