Plattform
wordpress
Komponente
wp01
Behoben in
2.6.3
CVE-2025-30567 describes an Arbitrary File Access vulnerability within the WP01 WordPress plugin. This flaw allows attackers to potentially read sensitive files on the server by manipulating file paths. The vulnerability impacts versions 0.0.0 through 2.6.2 of the WP01 plugin, and a fix is available in version 2.6.3.
The Arbitrary File Access vulnerability allows an attacker to bypass intended security restrictions and access files outside of the intended directory. By crafting malicious requests with path traversal sequences (e.g., ../), an attacker can potentially read configuration files, source code, or other sensitive data stored on the server. This could lead to information disclosure, privilege escalation, or even remote code execution if the attacker can leverage the accessed files to compromise the system further. The potential blast radius is significant, as the attacker could gain access to a wide range of files depending on the server's configuration and permissions.
CVE-2025-30567 was publicly disclosed on 2025-03-25. The vulnerability's simplicity and the widespread use of WordPress plugins make it a potential target for automated exploitation. There are currently no known public proof-of-concept exploits, but the ease of exploitation suggests that one may emerge. The vulnerability is not currently listed on the CISA KEV catalog.
Websites utilizing the WP01 plugin in versions 0.0.0 through 2.6.2 are at risk. This includes sites using shared hosting environments where plugin updates may not be managed automatically, and those with legacy WordPress installations that haven't been regularly updated.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/wp01/*• generic web:
curl -I 'http://example.com/wp-content/plugins/wp01/../../../../etc/passwd' # Check for file disclosuredisclosure
Exploit-Status
EPSS
27.19% (96% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-30567 is to immediately upgrade the WP01 plugin to version 2.6.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These might include restricting file access permissions on the server to limit the impact of a successful exploit, or using a Web Application Firewall (WAF) to filter out malicious requests containing path traversal sequences. Regularly review and update WordPress security plugins and themes to minimize the attack surface. After upgrading, confirm the fix by attempting a path traversal request and verifying that access is denied.
Actualice el plugin WP01 a la versión 2.6.3 o superior para mitigar la vulnerabilidad de recorrido de ruta. Esta actualización corrige la falta de limitación adecuada de la ruta de acceso, previniendo el acceso no autorizado a archivos sensibles.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-30567 is a vulnerability in the WP01 WordPress plugin that allows attackers to read arbitrary files on the server via path traversal.
You are affected if you are using WP01 versions 0.0.0 through 2.6.2. Upgrade to 2.6.3 or later to resolve the issue.
Upgrade the WP01 plugin to version 2.6.3 or later. As a temporary workaround, implement a WAF rule to block path traversal attempts.
Currently, there are no confirmed reports of active exploitation, but monitoring is advised.
Refer to the WP01 plugin's official website or WordPress plugin repository for the latest security advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.