Plattform
wordpress
Komponente
spice-blocks
Behoben in
2.0.8
CVE-2025-48130 describes an Arbitrary File Access vulnerability within Spice Blocks, a WordPress plugin. This flaw allows attackers to potentially read arbitrary files on the server by manipulating file paths. Versions of Spice Blocks from 0.0.0 through 2.0.7.4 are affected. A patch has been released in version 2.0.7.5.
The Arbitrary File Access vulnerability in Spice Blocks allows an attacker to bypass intended security restrictions and access files outside of the intended directory. By crafting malicious requests with carefully constructed file paths, an attacker could potentially retrieve configuration files, source code, or other sensitive data stored on the server. This could lead to the exposure of credentials, API keys, or other confidential information. The blast radius extends to any data accessible by the web server process, potentially impacting the entire WordPress installation and any connected services. While no direct remote code execution is possible, the information gained could be used to further compromise the system.
CVE-2025-48130 was publicly disclosed on 2025-06-09. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog as of this writing. While the CVSS score indicates a HIGH severity, the lack of public exploits suggests a lower immediate risk, but proactive patching is still strongly recommended.
WordPress websites utilizing the Spice Blocks plugin, particularly those running versions 0.0.0 through 2.0.7.4, are at risk. Shared hosting environments where plugin configurations are less controlled are also more vulnerable.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/spice-blocks/*• generic web:
curl -I 'https://your-wordpress-site.com/wp-content/plugins/spice-blocks/../../../../etc/passwd' # Check for file accessdisclosure
Exploit-Status
EPSS
0.13% (32% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-48130 is to immediately upgrade Spice Blocks to version 2.0.7.5 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Additionally, review file permissions on the server to ensure that the web server user has only the necessary access to files and directories. Monitor web server access logs for suspicious requests containing path traversal attempts. After upgrading, confirm the fix by attempting a path traversal request and verifying that access is denied.
Update to version 2.0.7.5, or a newer patched version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-48130 is a HIGH severity vulnerability in Spice Blocks for WordPress that allows attackers to read arbitrary files on the server.
Yes, if you are using Spice Blocks versions 0.0.0 through 2.0.7.4, you are affected by this vulnerability.
Upgrade Spice Blocks to version 2.0.7.5 or later to resolve the vulnerability. Consider temporary workarounds if immediate upgrading is not possible.
As of the current disclosure date, there are no confirmed reports of active exploitation, but proactive patching is recommended.
Refer to the Spice Blocks official website or WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.