Plattform
wordpress
Komponente
aviation-weather-from-noaa
Behoben in
0.7.3
CVE-2025-28980 describes an Arbitrary File Access vulnerability discovered in the Aviation Weather from NOAA WordPress plugin. This flaw allows attackers to potentially read arbitrary files on the server due to improper input validation. Versions 0.0.0 through 0.7.2 are affected. A patch has been released in version 0.7.3.
The Arbitrary File Access vulnerability allows an attacker to read arbitrary files on the server hosting the Aviation Weather from NOAA plugin. This could expose sensitive configuration files, database credentials, or even source code. Successful exploitation could lead to complete compromise of the web server and potentially the entire network if the server has access to other resources. While the description doesn't explicitly mention it, the ability to read server files could be a stepping stone to further exploitation, such as code execution, depending on the files accessed and the server's configuration.
CVE-2025-28980 was publicly disclosed on 2025-07-04. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of writing. Public proof-of-concept code is not currently available, but the path traversal nature of the vulnerability makes it likely that a PoC will be developed. The vulnerability's relatively simple nature suggests a moderate likelihood of exploitation.
WordPress sites utilizing the Aviation Weather from NOAA plugin, particularly those running older, unpatched versions (0.0.0 - 0.7.2), are at significant risk. Shared hosting environments where users have limited control over plugin updates are especially vulnerable.
• wordpress / composer / npm:
grep -r "../" /var/www/html/aviation-weather-from-noaa/• generic web:
curl -I 'http://your-wordpress-site.com/wp-content/plugins/aviation-weather-from-noaa/../../../../etc/passwd'disclosure
Exploit-Status
EPSS
0.08% (25% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-28980 is to immediately upgrade the Aviation Weather from NOAA plugin to version 0.7.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Carefully review file permissions on the server to ensure that the web server user has minimal access to sensitive files. Monitor web server access logs for suspicious requests containing path traversal attempts.
Actualice el plugin Aviation Weather from NOAA a la última versión disponible para solucionar la vulnerabilidad de recorrido de directorio. Esta actualización corrige la forma en que el plugin maneja las rutas de archivo, evitando el acceso no autorizado a archivos sensibles.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-28980 is a HIGH severity vulnerability in Aviation Weather from NOAA allowing attackers to read arbitrary files due to a path traversal flaw. It affects versions 0.0.0 through 0.7.2.
If you are using Aviation Weather from NOAA version 0.0.0 to 0.7.2, you are affected by this vulnerability and should upgrade immediately.
Upgrade the Aviation Weather from NOAA plugin to version 0.7.3 or later. Consider WAF rules as a temporary mitigation.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Check the WordPress plugin repository and the developer's website for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.