Plattform
wordpress
Komponente
dyapress
Behoben in
18.0.3
CVE-2025-30582 describes a Path Traversal vulnerability within the aytechnet DyaPress ERP/CRM system. This flaw allows attackers to exploit improper limitations on file paths, leading to PHP Local File Inclusion. Versions of DyaPress ERP/CRM from 0.0.0 through 18.0.2.0 are affected. A patch is available in version 18.0.3.
The Path Traversal vulnerability in DyaPress ERP/CRM allows an attacker to manipulate file paths, potentially leading to the inclusion of arbitrary files from the server's filesystem. This can result in the exposure of sensitive data such as configuration files, database credentials, or even source code. Successful exploitation could grant an attacker significant control over the affected system, enabling them to read confidential information, modify system files, or even execute arbitrary code depending on the files they can include. The impact is particularly severe if the ERP/CRM system stores sensitive customer data or financial information.
CVE-2025-30582 was publicly disclosed on 2025-04-10. As of this date, there are no known public exploits or active campaigns targeting this vulnerability. The KEV status is currently unknown. Public proof-of-concept code may emerge, increasing the risk of exploitation.
Organizations using DyaPress ERP/CRM, particularly those with older versions (0.0.0–18.0.2.0) and those with limited security controls, are at significant risk. Shared hosting environments where multiple users share the same server are also particularly vulnerable, as a compromise of one DyaPress ERP/CRM instance could potentially affect other tenants.
• wordpress / composer / npm:
grep -r "../" /var/www/dyapress/• generic web:
curl -I http://your-dyapress-server.com/../../../../etc/passwd• wordpress / composer / npm:
wp plugin list --all | grep dyapressdisclosure
Exploit-Status
EPSS
0.26% (49% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-30582 is to upgrade DyaPress ERP/CRM to version 18.0.3 or later, which includes the necessary fix. If an immediate upgrade is not possible, consider implementing temporary workarounds such as restricting file upload permissions and carefully reviewing any user-supplied input that is used in file path construction. Web Application Firewalls (WAFs) configured with rules to detect and block path traversal attempts can also provide an additional layer of protection. Regularly scan the system for misconfigurations and vulnerabilities.
Actualice el plugin DyaPress ERP/CRM a la última versión disponible para solucionar la vulnerabilidad de inclusión de archivos locales. Verifique la página del plugin en WordPress.org para obtener la versión más reciente y las instrucciones de actualización. Asegúrese de realizar una copia de seguridad de su sitio web antes de actualizar cualquier plugin.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-30582 is a Path Traversal vulnerability allowing attackers to include arbitrary files in DyaPress ERP/CRM, potentially leading to sensitive data exposure or code execution. It affects versions 0.0.0–18.0.2.0.
If you are using DyaPress ERP/CRM versions 0.0.0 through 18.0.2.0, you are potentially affected by this vulnerability. Upgrade to 18.0.3 or later to mitigate the risk.
The recommended fix is to upgrade DyaPress ERP/CRM to version 18.0.3 or later. As a temporary workaround, implement WAF rules to block path traversal attempts.
While no public exploits are currently known, the vulnerability's nature makes it easily exploitable, and active exploitation is possible.
Refer to the official DyaPress ERP/CRM security advisories on their website or through their support channels for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.