Plattform
wordpress
Komponente
seofy-core
Behoben in
1.6.9
CVE-2025-39473 describes a Path Traversal vulnerability within the Seofy Core component, allowing for PHP Local File Inclusion. This vulnerability enables attackers to potentially read arbitrary files on the server, leading to sensitive data exposure or, in some cases, remote code execution. The vulnerability impacts versions of Seofy Core from 0.0.0 up to and including 1.6.8, with a fix available in version 1.6.11.
The Path Traversal vulnerability in Seofy Core allows an attacker to include arbitrary files from the server's filesystem. This can lead to the disclosure of sensitive information, such as configuration files, database credentials, or even source code. Successful exploitation could grant an attacker complete control over the affected WordPress instance, enabling them to modify content, install malicious plugins, or escalate privileges. The ability to include arbitrary PHP files also opens the door to Remote Code Execution (RCE) if the attacker can upload a malicious PHP script to the server.
CVE-2025-39473 was published on 2025-06-09. Currently, there are no known public exploits or active campaigns targeting this vulnerability. Its EPSS score is pending evaluation. While no public proof-of-concept exists, the path traversal nature of the vulnerability makes it a likely target for automated scanning and exploitation.
WordPress websites utilizing the Seofy Core plugin, particularly those running versions 0.0.0 through 1.6.8, are at risk. Shared hosting environments where users have limited control over plugin configurations are also particularly vulnerable, as are sites with legacy configurations that haven't been regularly updated.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/seofy-core/*• generic web:
curl -I http://example.com/wp-content/plugins/seofy-core/../../../../etc/passwddisclosure
Exploit-Status
EPSS
0.07% (20% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-39473 is to upgrade Seofy Core to version 1.6.11 or later. If upgrading immediately is not possible, consider implementing a temporary workaround by restricting file access permissions on the server. Ensure that the web server user has minimal privileges and that sensitive files are not accessible via the web. Implement a Web Application Firewall (WAF) with rules to block path traversal attempts, specifically looking for patterns like '../' in file requests. After upgrading, confirm the vulnerability is resolved by attempting a path traversal request and verifying that it is blocked or results in an error.
Aktualisieren Sie auf Version 1.6.11 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-39473 is a Path Traversal vulnerability in Seofy Core allowing PHP Local File Inclusion, potentially exposing sensitive data or enabling code execution.
You are affected if your WordPress site uses Seofy Core versions 0.0.0 through 1.6.8. Check your plugin versions and upgrade immediately.
Upgrade Seofy Core to version 1.6.11 or later. If immediate upgrade isn't possible, implement temporary workarounds like restricting file access and using a WAF.
As of the last update, there are no known public exploits or active campaigns targeting CVE-2025-39473, but vigilance is still advised.
Refer to the official Seofy Core project website or WordPress plugin repository for the latest advisory and security updates related to CVE-2025-39473.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.