Plattform
wordpress
Komponente
tainacan
Behoben in
0.21.15
CVE-2025-47512 describes an Arbitrary File Access vulnerability within the Tainacan WordPress plugin. This vulnerability allows attackers to potentially read sensitive files on the server by manipulating file paths. The issue impacts versions of Tainacan from 0.0.0 up to and including 0.21.14. A fix has been released in version 0.21.15.
The Arbitrary File Access vulnerability allows an attacker to bypass intended access controls and read files outside of the intended directory. Successful exploitation could lead to the exposure of configuration files, source code, database credentials, or other sensitive data. While the vulnerability is specific to the WordPress environment, the potential impact is significant, as it could compromise the entire web server if sensitive files are exposed. This is particularly concerning for Tainacan installations handling user data or sensitive content, as attackers could potentially gain access to private information.
CVE-2025-47512 was publicly disclosed on 2025-05-23. There is currently no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept exploits. The vulnerability is not currently listed on the CISA KEV catalog. The relatively recent disclosure and lack of public exploits suggest a low to medium probability of near-term exploitation, but proactive patching is still strongly recommended.
WordPress sites utilizing the Tainacan plugin, particularly those with older versions (0.0.0–0.21.14), are at risk. Shared hosting environments where users have limited control over server configurations are also particularly vulnerable, as are systems with default file permissions.
• wordpress / composer / npm:
grep -r "../" /var/www/html/tainacan/*• generic web:
curl -I http://your-wordpress-site.com/tainacan/../../../../etc/passwd• wordpress / composer / npm:
wp plugin list | grep tainacan• wordpress / composer / npm:
wp plugin update tainacandisclosure
Exploit-Status
EPSS
0.38% (59% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-47512 is to immediately upgrade the Tainacan plugin to version 0.21.15 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a temporary workaround by restricting file access permissions on the server. Specifically, ensure that the web server user does not have write access to directories containing sensitive files. Additionally, implement a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). After upgrading, confirm the fix by attempting to access a file outside the intended directory via a web browser; the request should be denied.
Actualice el plugin Tainacan a la última versión disponible para mitigar la vulnerabilidad de recorrido de directorio. Verifique la página del plugin en WordPress.org para obtener las actualizaciones más recientes y las instrucciones de instalación. Asegúrese de realizar una copia de seguridad de su sitio web antes de actualizar cualquier plugin.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-47512 is a HIGH severity vulnerability affecting the Tainacan WordPress plugin, allowing attackers to read arbitrary files on the server through path manipulation. It impacts versions 0.0.0–0.21.14.
If you are using Tainacan WordPress plugin versions 0.0.0 through 0.21.14, you are potentially affected by this vulnerability. Check your plugin version and upgrade immediately.
Upgrade the Tainacan plugin to version 0.21.15 or later to resolve this Arbitrary File Access vulnerability. If immediate upgrade is not possible, implement stricter file access controls.
As of the current date, there are no confirmed reports of active exploitation of CVE-2025-47512, but the vulnerability's nature suggests potential for future exploitation.
Refer to the official Tainacan plugin website or WordPress plugin repository for the latest advisory and update information regarding CVE-2025-47512.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.