CVE-2025-25162
Published: 03 March 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-25162 is an Improper Limitation of a Pathname to a Restricted Directory vulnerability (CWE-22), enabling Absolute Path Traversal in the kutu62 Sports Rankings and Lists WordPress plugin (sports-rankings-lists). This flaw affects all versions from n/a through 1.0.2, allowing attackers to bypass directory restrictions and access files outside the intended path.
With a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), the vulnerability is exploitable remotely over the network with low attack complexity, no required privileges, and no user interaction. Unauthenticated attackers can achieve high confidentiality impact by reading sensitive files on the affected server, while integrity and availability remain unaffected.
Patchstack documents this issue in their vulnerability database for the Sports Rankings and Lists plugin.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Path traversal in public-facing WordPress plugin enables remote file reads outside intended directories, directly supporting exploitation of public-facing applications (T1190) and collection of sensitive data from the local file system (T1005).