Plattform
wordpress
Komponente
images-optimizer
Behoben in
3.3.1
CVE-2025-25163 describes an Arbitrary File Access vulnerability discovered in the A/B Image Optimizer WordPress plugin. This flaw allows attackers to potentially read arbitrary files on the server by manipulating file paths. Versions of the plugin from 0.0.0 up to and including 3.3 are affected. A patch has been released in version 3.3.1.
The primary impact of CVE-2025-25163 is the potential for unauthorized access to sensitive files on the web server. An attacker could exploit this path traversal vulnerability to read configuration files, database credentials, source code, or other confidential data. Successful exploitation could lead to data breaches, compromise of server integrity, and potentially further attacks if sensitive information is exposed. The blast radius extends to any data accessible by the web server's user account.
CVE-2025-25163 was publicly disclosed on 2025-02-07. No public proof-of-concept exploits are currently known, but the path traversal nature of the vulnerability makes it likely that one will emerge. The EPSS score is likely to be medium, given the ease of exploitation once a PoC is available. It is not currently listed on the CISA KEV catalog.
WordPress websites using the A/B Image Optimizer plugin, particularly those running older versions (0.0.0–3.3), are at risk. Shared hosting environments where users have limited control over plugin installations are also particularly vulnerable.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/images-optimizer/*• generic web:
curl -I "http://your-wordpress-site.com/wp-content/plugins/images-optimizer/../../../../etc/passwd"disclosure
Exploit-Status
EPSS
25.69% (96% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-25163 is to immediately upgrade the A/B Image Optimizer plugin to version 3.3.1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Restrict file permissions on the WordPress directory to minimize the potential damage if the vulnerability is exploited. Monitor WordPress access logs for suspicious file access attempts. After upgrading, verify the fix by attempting to access a non-public file via a crafted URL containing path traversal characters; the request should be denied.
Actualice el plugin A/B Image Optimizer a la última versión disponible para solucionar la vulnerabilidad de recorrido de directorio. Verifique las actualizaciones del plugin directamente en el panel de administración de WordPress o a través del repositorio de plugins de WordPress. Asegúrese de realizar una copia de seguridad completa de su sitio web antes de aplicar cualquier actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-25163 is a High severity vulnerability in the A/B Image Optimizer WordPress plugin that allows attackers to read arbitrary files on the server through path traversal.
You are affected if you are using A/B Image Optimizer versions 0.0.0 through 3.3. Upgrade to 3.3.1 or later to mitigate the risk.
Upgrade the A/B Image Optimizer plugin to version 3.3.1 or later. If immediate upgrade is not possible, restrict file upload access.
As of now, there are no confirmed reports of active exploitation, but the High severity score warrants immediate action.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.