CVE-2025-30567
Published: 25 March 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2025-30567 is an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability, corresponding to CWE-22, in the WP01 WordPress plugin. This flaw affects WP01 versions from an unspecified initial release through 2.6.2. Published on 2025-03-25T19:15:46.350, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for privileges or user interaction.
Remote attackers require only network access to exploit this vulnerability due to its low attack complexity and lack of authentication prerequisites. Exploitation enables arbitrary file downloads, allowing attackers to access sensitive files outside the intended directory restrictions on affected WordPress sites running vulnerable WP01 versions.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp01/vulnerability/wordpress-wp01-2-6-2-arbitrary-file-download-vulnerability?_s_id=cve details this as an arbitrary file download vulnerability in WP01 2.6.2, providing guidance for practitioners on mitigation measures.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Path traversal in public-facing WordPress plugin enables remote unauthenticated exploitation of web application (T1190) and direct arbitrary file reads for local system data collection (T1005).