Plattform
wordpress
Komponente
buddypress-xprofile-image-field
Behoben in
3.0.2
CVE-2025-48158 describes an Arbitrary File Access vulnerability within the BuddyPress XProfile Custom Image Field plugin. This flaw allows attackers to potentially read arbitrary files on the server by manipulating file paths. The vulnerability impacts versions from 0.0.0 up to and including 3.0.1. A patch has been released in version 3.0.2.
The Arbitrary File Access vulnerability allows an attacker to bypass intended security restrictions and access files outside of the intended directory. In the context of BuddyPress XProfile Custom Image Field, this could allow an attacker to read configuration files, database credentials, or even source code from the web server. Successful exploitation could lead to sensitive data exposure, compromise of the entire WordPress installation, and potential lateral movement within the network if credentials are exposed. The ability to read arbitrary files significantly expands the attack surface and potential impact.
CVE-2025-48158 was publicly disclosed on 2025-08-20. While no public proof-of-concept (PoC) code has been widely reported, the nature of path traversal vulnerabilities makes it likely that one will emerge. The EPSS score is likely to be medium, indicating a moderate probability of exploitation given the ease of exploitation once a PoC is available. It is not currently listed on the CISA KEV catalog.
WordPress websites utilizing the BuddyPress XProfile Custom Image Field plugin, particularly those running older versions (0.0.0 – 3.0.1), are at risk. Shared hosting environments are particularly vulnerable as a compromise of one site could potentially expose files on the entire server. Sites with weak file permission configurations are also at increased risk.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/buddypress-xprofile-image-field/*• generic web:
curl -I 'https://your-wordpress-site.com/wp-content/uploads/buddypress-xprofile-image-field/../../../../etc/passwd' # Check for file disclosuredisclosure
Exploit-Status
EPSS
0.06% (19% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-48158 is to immediately upgrade the BuddyPress XProfile Custom Image Field plugin to version 3.0.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a temporary workaround by restricting file upload directories and implementing strict input validation to prevent path traversal attempts. Web Application Firewalls (WAFs) can be configured with rules to block requests containing suspicious path traversal sequences (e.g., '../'). After upgrading, verify the fix by attempting to access files outside the intended upload directory and confirming that access is denied.
Actualice el plugin BuddyPress XProfile Custom Image Field a la versión 3.0.2 o superior para mitigar la vulnerabilidad de recorrido de ruta. Esta actualización aborda la falta de limitación adecuada de la ruta de acceso, previniendo la eliminación arbitraria de archivos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-48158 is a HIGH severity vulnerability allowing attackers to read arbitrary files on a WordPress server through path traversal in the BuddyPress XProfile Custom Image Field plugin.
You are affected if you are using BuddyPress XProfile Custom Image Field versions 0.0.0 through 3.0.1. Upgrade to 3.0.2 or later to resolve the issue.
Upgrade the BuddyPress XProfile Custom Image Field plugin to version 3.0.2 or later. As a temporary workaround, restrict file access and validate user input.
Active exploitation is not currently confirmed, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the official BuddyPress XProfile Custom Image Field plugin documentation and WordPress security announcements for the latest advisory information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.