Plattform
wordpress
Komponente
store-locator
Behoben in
3.98.11
CVE-2025-23422 describes a Path Traversal vulnerability within the moaluko Store Locator plugin for WordPress. This flaw allows attackers to potentially include arbitrary files on the server, leading to sensitive data exposure or even remote code execution. The vulnerability impacts versions from 0.0.0 up to and including 3.98.10, and a patch is available in version 3.98.11.
The core impact of this Path Traversal vulnerability lies in its ability to enable Local File Inclusion (LFI). An attacker can craft malicious requests that manipulate file paths, bypassing intended security restrictions. This allows them to access and potentially read sensitive files on the server, such as configuration files containing database credentials, application source code, or even system files. Successful exploitation could lead to complete compromise of the WordPress instance and the underlying server. While direct remote code execution might not be immediately apparent, the ability to read sensitive files can be a stepping stone to further attacks, such as injecting malicious code into existing files or leveraging other vulnerabilities.
CVE-2025-23422 was publicly disclosed on January 24, 2025. There is currently no indication of this vulnerability being actively exploited in the wild. The vulnerability is not listed on the CISA KEV catalog at the time of this writing. Public proof-of-concept exploits are not widely available, but the nature of Path Traversal vulnerabilities makes it likely that such exploits will emerge.
WordPress websites utilizing the moaluko Store Locator plugin, particularly those running older versions (0.0.0–3.98.10), are at significant risk. Shared hosting environments where multiple websites share the same server resources are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / plugin:
wp plugin list --status=inactive | grep store-locator• wordpress / plugin:
wp plugin update --all• generic web:
curl -I 'https://your-wordpress-site.com/wp-content/plugins/store-locator/../../../../etc/passwd' # Check for file disclosure• generic web:
grep -r "../" /var/log/apache2/access.log # Look for path traversal attempts in logsdisclosure
Exploit-Status
EPSS
0.17% (38% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-23422 is to immediately upgrade the moaluko Store Locator plugin to version 3.98.11 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include restricting file access permissions on the server, implementing a Web Application Firewall (WAF) with rules to block suspicious path traversal attempts (e.g., filtering for '../' sequences), and carefully reviewing the plugin's configuration to ensure no sensitive files are inadvertently exposed. After upgrading, verify the fix by attempting to access files outside the intended directory via the Store Locator plugin’s URL parameters; access should be denied.
Actualice el plugin Store Locator a una versión corregida. Consulte las notas de la versión del plugin para obtener instrucciones específicas sobre cómo actualizar y mitigar la vulnerabilidad de inclusión de archivos locales. Asegúrese de realizar una copia de seguridad de su sitio web antes de realizar cualquier actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-23422 is a Path Traversal vulnerability in the moaluko Store Locator WordPress plugin, allowing attackers to potentially include arbitrary files and access sensitive data.
You are affected if you are using moaluko Store Locator versions 0.0.0 through 3.98.10. Upgrade to 3.98.11 or later to mitigate the risk.
The recommended fix is to upgrade the moaluko Store Locator plugin to version 3.98.11 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
As of the current date, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the official moaluko Store Locator website or WordPress plugin repository for the latest security advisories and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.