Plattform
wordpress
Komponente
image-shadow
Behoben in
1.1.1
CVE-2025-24765 describes an Arbitrary File Access vulnerability within the Image Shadow plugin for WordPress. This flaw allows attackers to potentially read sensitive files on the server by manipulating file paths. Versions of Image Shadow from 0.0.0 through 1.1.0 are affected. A fix is available in version 1.1.1.
The Arbitrary File Access vulnerability allows an attacker to bypass intended access controls and read arbitrary files on the server. Successful exploitation could lead to the disclosure of sensitive configuration files, database credentials, or even source code. The impact is amplified in shared hosting environments where multiple websites reside on the same server, potentially exposing data from other tenants. While no direct precedent exists for Image Shadow specifically, path traversal vulnerabilities are frequently exploited to gain unauthorized access and escalate privileges, similar to attacks targeting other WordPress plugins with inadequate file access controls.
CVE-2025-24765 was published on 2025-06-27. Currently, there are no known public proof-of-concept exploits. The EPSS score is pending evaluation. Monitor security advisories and vulnerability databases for updates regarding active exploitation campaigns.
WordPress websites utilizing the Image Shadow plugin, particularly those running older versions (0.0.0–1.1.0), are at risk. Shared hosting environments where users have limited control over plugin installations are also particularly vulnerable.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/image-shadow/• generic web:
curl -I http://your-wordpress-site.com/wp-content/plugins/image-shadow/../../../../etc/passwd | head -n 1disclosure
Exploit-Status
EPSS
0.09% (26% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-24765 is to immediately upgrade the Image Shadow plugin to version 1.1.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Additionally, restrict file permissions on sensitive directories to prevent unauthorized access. Regularly review WordPress plugin installations and ensure they are from trusted sources.
Actualice el plugin Image Shadow a la última versión disponible para solucionar la vulnerabilidad de recorrido de directorio. Verifique las actualizaciones del plugin directamente en el panel de administración de WordPress o a través del repositorio oficial de WordPress.org.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-24765 is a HIGH severity vulnerability allowing attackers to read files outside of intended directories in Image Shadow versions 0.0.0–1.1.0.
Yes, if you are using Image Shadow versions 0.0.0 through 1.1.0, you are affected by this vulnerability.
Upgrade the Image Shadow plugin to version 1.1.1 or later to resolve the vulnerability. Consider WAF rules as a temporary workaround.
As of 2025-06-27, no active exploitation has been confirmed, but monitoring is recommended.
Refer to the RobMarsh project's official website or WordPress plugin repository for the latest advisory and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.