Plattform
wordpress
Komponente
wp-pipes
Behoben in
1.4.3
CVE-2025-48267 describes an Arbitrary File Access vulnerability discovered in WP Pipes, a WordPress plugin. This vulnerability allows attackers to read arbitrary files on the server by manipulating file paths, potentially exposing sensitive data like configuration files or database credentials. The vulnerability affects versions of WP Pipes prior to 1.4.3, and a patch is available in version 1.4.3.
The Arbitrary File Access vulnerability in WP Pipes allows an attacker to bypass intended access restrictions and read arbitrary files on the server. This could include configuration files containing database credentials, private keys, or other sensitive information. Successful exploitation could lead to complete compromise of the WordPress installation and potentially the underlying server. The attacker could gain access to user data, modify website content, or even execute arbitrary code if the retrieved files contain executable code or are used in further attacks.
This vulnerability was publicly disclosed on 2025-06-09. No public proof-of-concept exploits are currently known. The EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
WordPress websites using the WP Pipes plugin are at risk. Specifically, sites running older versions of WP Pipes (prior to 1.4.3) are vulnerable. Shared hosting environments where users have limited control over plugin updates are particularly susceptible.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/wp-pipes/• generic web:
curl -I 'http://your-wordpress-site.com/wp-content/plugins/wp-pipes/../../../../etc/passwd' # Check for file disclosuredisclosure
Exploit-Status
EPSS
0.10% (26% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-48267 is to immediately upgrade WP Pipes to version 1.4.3 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Additionally, restrict file permissions on sensitive files to prevent unauthorized access. Regularly review WordPress plugin installations and remove any unused or outdated plugins.
Actualice el plugin WP Pipes a la última versión disponible para solucionar la vulnerabilidad de recorrido de directorio. Verifique las actualizaciones disponibles en el panel de administración de WordPress o en el repositorio de plugins de WordPress. Asegúrese de realizar una copia de seguridad de su sitio web antes de actualizar cualquier plugin.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-48267 is a HIGH severity vulnerability in WP Pipes allowing attackers to read arbitrary files on a WordPress server through path manipulation. It affects versions before 1.4.3.
You are affected if your WordPress site uses WP Pipes version 1.4.2 or earlier. Check your plugin versions and upgrade immediately.
Upgrade WP Pipes to version 1.4.3 or later. If immediate upgrade is not possible, implement WAF rules to block suspicious path traversal attempts.
While no public exploits are currently known, the ease of exploitation suggests it may be targeted. Monitor security advisories for updates.
Check the ThimPress website and WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.