Plattform
wordpress
Komponente
wpmastertoolkit
Behoben in
1.10.0
2.5.4
CVE-2025-3300 describes an Arbitrary File Access vulnerability discovered in the WPMasterToolKit (WPMTK) – All in one plugin for WordPress. This vulnerability allows authenticated administrators to read and modify arbitrary files on the server, potentially leading to data breaches and system compromise. The vulnerability affects versions 1.0.0 through 1.15.0, and a fix is available in version 2.5.4.
Successful exploitation of CVE-2025-3300 grants an attacker the ability to read and modify any file accessible by the web server process. This includes configuration files, database credentials, source code, and potentially even system files. The impact is significant, as an attacker could gain complete control over the WordPress instance and the underlying server. A malicious actor could exfiltrate sensitive data, inject malicious code, or even compromise the entire system. The attack requires administrator privileges, but given the prevalence of WordPress and the potential for credential compromise, the blast radius is substantial.
CVE-2025-3300 was publicly disclosed on April 24, 2025. Currently, there are no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog as of this writing. Given the relatively straightforward nature of directory traversal vulnerabilities, it is reasonable to assume that public exploits may emerge in the future.
WordPress websites using the WPMasterToolKit plugin, particularly those with administrator accounts that have not been secured with strong passwords or multi-factor authentication, are at risk. Shared hosting environments where multiple WordPress installations share the same server resources are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/wpmastertoolkit/• generic web:
curl -I http://your-wordpress-site.com/wp-content/plugins/wpmastertoolkit/wp-content/../etc/passwddisclosure
Exploit-Status
EPSS
1.27% (79% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-3300 is to immediately upgrade the WPMasterToolKit (WPMTK) plugin to version 2.5.4 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting file access permissions on the server to minimize the potential impact of a successful exploit. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to block directory traversal attempts (e.g., ../ sequences in file paths) can provide an additional layer of defense. Monitor WordPress logs for suspicious file access patterns, particularly those involving unusual file paths.
Actualice el plugin WPMasterToolKit (WPMTK) – All in one plugin a la versión 2.5.4 o superior para mitigar la vulnerabilidad de Directory Traversal. Esta actualización corrige la forma en que el plugin maneja las rutas de archivos, previniendo el acceso no autorizado a archivos sensibles en el servidor. Asegúrese de realizar una copia de seguridad de su sitio web antes de actualizar el plugin.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-3300 is a HIGH severity vulnerability in WPMasterToolKit allowing authenticated admins to read/modify arbitrary files, potentially exposing sensitive data.
You are affected if your WordPress site uses WPMasterToolKit version 1.0.0–1.15.0. Check your plugin version and upgrade if necessary.
Upgrade WPMasterToolKit to version 2.5.4 or later. If immediate upgrade is not possible, restrict admin access and implement file access controls.
Currently, there are no known public exploits or active campaigns targeting CVE-2025-3300, but prompt remediation is still recommended.
Refer to the WPMasterToolKit official website or WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.