Plattform
wordpress
Komponente
delete-comments-by-status
Behoben in
2.1.2
A Path Traversal vulnerability has been identified in the Delete Comments By Status WordPress plugin. This flaw allows attackers to potentially access sensitive files and directories on the server by manipulating file paths. The vulnerability affects versions from 0.0.0 up to and including 2.1.1. A patch has been released in version 2.1.2.
The Path Traversal vulnerability in Delete Comments By Status allows an attacker to bypass intended access restrictions and retrieve files from directories they should not be able to access. By crafting malicious requests with carefully manipulated file paths, an attacker could potentially read configuration files, source code, or other sensitive data stored on the web server. Successful exploitation could lead to information disclosure, and in some cases, even remote code execution if sensitive files contain credentials or scripts. The blast radius extends to any data accessible via the server's file system.
This vulnerability was publicly disclosed on 2025-03-03. As of this writing, there are no known public exploits or active campaigns targeting this specific vulnerability. It is not currently listed on the CISA KEV catalog. The relatively straightforward nature of Path Traversal vulnerabilities suggests that a proof-of-concept may emerge in the near future.
WordPress websites using the Delete Comments By Status plugin, particularly those running older versions (0.0.0 - 2.1.1), are at risk. Shared hosting environments where file permissions are not strictly controlled are especially vulnerable.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/delete-comments-by-status/*• generic web:
curl -I http://your-wordpress-site.com/wp-content/plugins/delete-comments-by-status/../../../../etc/passwddisclosure
Exploit-Status
EPSS
0.19% (41% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-25130 is to immediately upgrade the Delete Comments By Status plugin to version 2.1.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious path traversal sequences (e.g., ../). Additionally, restrict file permissions on the server to minimize the potential impact of a successful exploit. Regularly review server logs for any unusual file access attempts.
Actualice el plugin Delete Comments By Status a la última versión disponible para mitigar la vulnerabilidad de Path Traversal. Verifique la página del plugin en wordpress.org para obtener la versión más reciente y las instrucciones de actualización. Asegúrese de realizar una copia de seguridad de su sitio web antes de actualizar cualquier plugin.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-25130 is a Path Traversal vulnerability affecting the Delete Comments By Status WordPress plugin, allowing attackers to read arbitrary files.
You are affected if you are using Delete Comments By Status versions 0.0.0 through 2.1.1. Upgrade to 2.1.2 or later to mitigate the risk.
Upgrade the Delete Comments By Status plugin to version 2.1.2 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
There are currently no reports of active exploitation, but the vulnerability is publicly known and poses a significant risk.
Check the Delete Comments By Status plugin page on WordPress.org for updates and security advisories.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.