Plattform
wordpress
Komponente
oxygen-mydata
Behoben in
1.0.65
CVE-2025-32631 describes an Arbitrary File Access vulnerability discovered in the Oxygen MyData for WooCommerce plugin. This flaw allows attackers to potentially read sensitive files on the server by manipulating file paths. The vulnerability affects versions from 0.0.0 up to and including 1.0.64. A patch has been released in version 1.0.64.
The Arbitrary File Access vulnerability allows an attacker to bypass intended security restrictions and access files outside of the intended directory. In the context of Oxygen MyData for WooCommerce, this could allow an attacker to read configuration files, database credentials, or other sensitive data stored on the web server. Successful exploitation could lead to data breaches, compromise of the WordPress installation, and potentially, further access to the underlying server infrastructure. The impact is amplified if the server is hosting multiple websites or sensitive data.
CVE-2025-32631 was publicly disclosed on 2025-04-11. There are currently no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The relatively low profile of the plugin may limit immediate exploitation, but the ease of exploitation via path traversal makes it a potential target.
Websites utilizing Oxygen MyData for WooCommerce, particularly those running older, unpatched versions (0.0.0–1.0.64), are at risk. Shared hosting environments are particularly vulnerable as they often have limited control over plugin updates and server configurations. Sites with weak file permission configurations are also at increased risk.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/oxygen-mydata-for-woocommerce/*• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/oxygen-mydata-for-woocommerce/../../../../etc/passwd• wordpress / composer / npm:
wp plugin list --status=inactive | grep oxygen-mydatadisclosure
Exploit-Status
EPSS
0.38% (59% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-32631 is to immediately upgrade the Oxygen MyData for WooCommerce plugin to version 1.0.64 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include restricting file access permissions on the server, using a Web Application Firewall (WAF) to filter malicious requests, or implementing input validation to sanitize file paths. Regularly review server logs for suspicious activity related to file access attempts.
Actualice el plugin Oxygen MyData for WooCommerce a la última versión disponible para solucionar la vulnerabilidad de recorrido de directorio. Esta actualización corrige la falta de limitación adecuada de la ruta de acceso, previniendo la eliminación arbitraria de archivos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-32631 is a HIGH severity vulnerability allowing attackers to read files outside of intended directories in Oxygen MyData for WooCommerce due to improper path validation.
You are affected if you are using Oxygen MyData for WooCommerce versions 0.0.0 through 1.0.64. Upgrade to 1.0.64 or later to resolve the issue.
Upgrade Oxygen MyData for WooCommerce to version 1.0.64 or later. Consider WAF rules to block path traversal attempts as an interim measure.
As of now, there are no confirmed reports of active exploitation, but the HIGH severity score warrants immediate attention and patching.
Refer to the official Oxygen Suite website and WordPress plugin repository for the latest advisory and update information regarding CVE-2025-32631.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.