Plattform
wordpress
Komponente
wp-businessdirectory
Behoben in
3.1.3
CVE-2025-32629 describes an Arbitrary File Access vulnerability discovered in the CMSJunkie WP-BusinessDirectory WordPress plugin. This flaw allows attackers to potentially read arbitrary files on the server by exploiting improper path validation. The vulnerability impacts versions from 0.0.0 up to and including 3.1.2. A patch has been released in version 3.1.3.
The Arbitrary File Access vulnerability allows an attacker to read any file accessible by the webserver process. This could include sensitive configuration files, database credentials, or even source code. Successful exploitation could lead to complete compromise of the WordPress installation and potentially the underlying server. The attacker could gain access to user data, intellectual property, or use the server as a launchpad for further attacks. While direct remote code execution isn't immediately possible, the information gained from file access could be used to identify and exploit other vulnerabilities.
CVE-2025-32629 was publicly disclosed on 2025-04-11. No public proof-of-concept (POC) code has been released at the time of writing, but the nature of the vulnerability makes it likely that one will emerge. The EPSS score is likely to be medium, given the ease of exploitation once a POC is available and the potential impact. It is not currently listed on the CISA KEV catalog.
Websites using the WP-BusinessDirectory plugin, particularly those running older versions (0.0.0–3.1.2), are at risk. Shared hosting environments are especially vulnerable as they often have limited control over server configurations and file permissions. Administrators who haven't recently updated their plugins or implemented robust security measures are also at increased risk.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/wp-businessdirectory/*• generic web:
curl -I 'http://your-wordpress-site.com/wp-content/plugins/wp-businessdirectory/../../../../etc/passwd' # Attempt to access a sensitive filedisclosure
Exploit-Status
EPSS
0.38% (59% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-32629 is to immediately upgrade the WP-BusinessDirectory plugin to version 3.1.3 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Restrict file permissions on the WordPress directory to minimize the impact of a successful exploit. Regularly review WordPress plugin installations and remove any unused or outdated plugins. After upgrade, confirm the vulnerability is resolved by attempting a path traversal request and verifying that access is denied.
Actualice el plugin WP-BusinessDirectory a la última versión disponible para solucionar la vulnerabilidad de recorrido de ruta. Verifique las actualizaciones disponibles en el panel de administración de WordPress o a través del repositorio de plugins de WordPress. Asegúrese de realizar una copia de seguridad completa del sitio antes de aplicar cualquier actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-32629 is a HIGH severity vulnerability allowing attackers to read arbitrary files on a WordPress server running the WP-BusinessDirectory plugin. It impacts versions 0.0.0–3.1.2.
You are affected if your WordPress site uses the WP-BusinessDirectory plugin and is running version 3.1.2 or earlier. Check your plugin versions immediately.
Upgrade the WP-BusinessDirectory plugin to version 3.1.3 or later. If immediate upgrade is not possible, restrict file access permissions and consider WAF rules.
There is currently no confirmed evidence of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the CMSJunkie website and WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.