Plattform
wordpress
Komponente
xlsx-viewer
Behoben in
2.1.2
CVE-2025-23562 describes an Arbitrary File Access vulnerability within the XLSXviewer WordPress plugin. This flaw allows attackers to potentially read sensitive files on the server by manipulating file paths. Versions of XLSXviewer from 0.0.0 through 2.1.1 are affected. A fix is available in version 2.1.2.
The Arbitrary File Access vulnerability in XLSXviewer allows an attacker to bypass intended access controls and read arbitrary files on the server. This could expose sensitive data such as configuration files, database credentials, or even source code. Successful exploitation requires an attacker to interact with the XLSXviewer plugin, potentially through a crafted file upload or by manipulating URL parameters. The blast radius extends to any data accessible by the web server process, potentially compromising the entire WordPress installation and any connected systems.
CVE-2025-23562 was publicly disclosed on January 22, 2025. Currently, there are no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The vulnerability's ease of exploitation and potential impact warrant close monitoring.
WordPress websites utilizing the XLSXviewer plugin, particularly those running older, unpatched versions (0.0.0–2.1.1), are at risk. Shared hosting environments where users have limited control over plugin updates are especially vulnerable. Websites that process user-supplied data without proper sanitization are also at increased risk.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/xlsx-viewer/• generic web:
curl -I 'http://your-wordpress-site.com/wp-content/plugins/xlsx-viewer/../../../../etc/passwd' # Check for file accessdisclosure
Exploit-Status
EPSS
0.26% (49% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-23562 is to immediately upgrade the XLSXviewer plugin to version 2.1.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting file access permissions on the server to limit the potential impact of a successful exploit. Web Application Firewalls (WAFs) can be configured to block requests containing suspicious path traversal sequences (e.g., ../). Monitor web server access logs for unusual file access attempts.
Actualice el plugin XLSXviewer a la última versión disponible para mitigar la vulnerabilidad de recorrido de directorio. Verifique las actualizaciones disponibles en el repositorio de WordPress o en el sitio web del desarrollador. Asegúrese de realizar una copia de seguridad completa de su sitio web antes de aplicar cualquier actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-23562 is a vulnerability in the XLSXviewer WordPress plugin that allows attackers to read arbitrary files on the server due to improper path validation.
You are affected if you are using XLSXviewer versions 0.0.0 through 2.1.1 on your WordPress site. Check your plugin versions immediately.
Upgrade the XLSXviewer plugin to version 2.1.2 or later to resolve the vulnerability. If immediate upgrade is not possible, implement WAF rules to block path traversal attempts.
While no active exploitation has been confirmed, the ease of exploitation suggests a potential for attacks. Monitor your systems closely.
Refer to the plugin developer's website or the WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.