Plattform
wordpress
Komponente
fwdevp
Behoben in
10.0.1
CVE-2025-28955 describes an Arbitrary File Access vulnerability discovered in the Easy Video Player Wordpress & WooCommerce plugin developed by FWDesign. This vulnerability allows attackers to potentially read sensitive files on the server by manipulating file paths. The vulnerability affects versions from 0.0.0 through 10.0 and has been resolved in version 10.0.1.
An attacker exploiting this vulnerability could leverage path traversal to access files outside of the intended directory. This could include configuration files containing database credentials, source code with sensitive information, or other private data. Successful exploitation could lead to unauthorized access to sensitive information, potential compromise of the entire WordPress installation, and even remote code execution if the attacker can leverage the accessed files to execute malicious code. The impact is amplified if the server hosts multiple WordPress sites or if the plugin is widely deployed.
CVE-2025-28955 was publicly disclosed on 2025-07-16. Currently, there are no known public proof-of-concept exploits available. The EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
WordPress websites utilizing the Easy Video Player Wordpress & WooCommerce plugin, particularly those running older, unpatched versions (0.0.0–10.0), are at risk. Shared hosting environments where users have limited control over plugin updates are also particularly vulnerable.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/easy-video-player-woocommerce/• generic web:
curl -I 'https://your-wordpress-site.com/wp-content/plugins/easy-video-player-woocommerce/../../../../etc/passwd' # Check for file disclosuredisclosure
Exploit-Status
EPSS
0.08% (23% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-28955 is to immediately upgrade the Easy Video Player Wordpress & WooCommerce plugin to version 10.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Additionally, restrict file permissions on sensitive directories to prevent unauthorized access. Regularly review WordPress plugin installations and remove any unused or outdated plugins.
Actualice el plugin Easy Video Player Wordpress & WooCommerce a la última versión disponible para solucionar la vulnerabilidad de recorrido de directorio. Verifique las actualizaciones en el panel de administración de WordPress o en el repositorio de plugins de WordPress. Asegúrese de realizar una copia de seguridad del sitio antes de actualizar.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-28955 is a HIGH severity vulnerability in Easy Video Player Wordpress & WooCommerce allowing attackers to read arbitrary files via path traversal. It affects versions 0.0.0–10.0.
If you are using Easy Video Player Wordpress & WooCommerce versions 0.0.0 through 10.0, you are affected by this vulnerability.
Upgrade to version 10.0.1 or later to resolve the Arbitrary File Access vulnerability. Consider WAF rules as a temporary mitigation.
There is currently no evidence of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the FWDesign website and WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.