CVE-2025-26905
Published: 25 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-26905 is an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability, classified as CWE-22, in the Estatik WordPress plugin. It allows PHP Local File Inclusion and affects Estatik versions from n/a through <= 4.3.0. The vulnerability was published on 2025-02-25 with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
Low-privileged remote attackers (PR:L) can exploit this vulnerability over the network (AV:N) without user interaction, though it requires high attack complexity (AC:H). Successful exploitation enables high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H) through PHP Local File Inclusion, potentially allowing attackers to include and execute arbitrary local files.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/estatik/vulnerability/wordpress-estatik-plugin-4-1-9-local-file-inclusion-vulnerability?_s_id=cve provides further details on the vulnerability in the Estatik WordPress plugin.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a path traversal vulnerability in a public-facing WordPress plugin enabling PHP local file inclusion with remote exploitation and high impact, directly mapping to exploitation of public-facing applications.