CVE-2025-25163
Published: 07 February 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-25163 is an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability, corresponding to CWE-22, in the A/B Image Optimizer WordPress plugin (images-optimizer) developed by Zach Swetz. This flaw affects all versions of the plugin up to and including 3.3, enabling attackers to bypass directory restrictions.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it is exploitable remotely over the network by unauthenticated attackers with low complexity and no user interaction required. Exploitation allows arbitrary file downloads from the server, resulting in high confidentiality impact by exposing sensitive files outside the intended directory.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/images-optimizer/vulnerability/wordpress-plugin-a-b-image-optimizer-plugin-3-3-arbitrary-file-download-vulnerability?_s_id=cve, which documents the arbitrary file download vulnerability in version 3.3.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Path traversal in public-facing WordPress plugin enables remote unauthenticated arbitrary file download, directly mapping to T1190 (Exploit Public-Facing Application) for initial access and T1005 (Data from Local System) for collection of sensitive files.