Plattform
wordpress
Komponente
fw-gallery
Behoben in
8.0.1
CVE-2025-49415 describes an Arbitrary File Access vulnerability within the FW Gallery plugin for WordPress. This vulnerability allows attackers to potentially read sensitive files from the server's file system. The issue affects versions of FW Gallery from 0.0.0 up to and including 8.0.0. A patch has been released in version 8.0.1.
The Arbitrary File Access vulnerability allows an attacker to bypass intended access controls and read files that they should not be able to access. This could include configuration files containing database credentials, source code, or other sensitive information. Successful exploitation could lead to data breaches, compromise of the WordPress installation, and potential lateral movement within the network if the server has access to other resources. The impact is amplified if the server hosts other applications or services, as the attacker could potentially gain access to those as well.
CVE-2025-49415 was publicly disclosed on 2025-06-17. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the path traversal nature of the vulnerability makes it relatively straightforward to exploit.
WordPress websites utilizing the FW Gallery plugin, particularly those running older versions (0.0.0 - 8.0.0), are at significant risk. Shared hosting environments where users have limited control over plugin updates are especially vulnerable.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/fw-gallery/*• generic web:
curl -I http://your-wordpress-site.com/wp-content/plugins/fw-gallery/../../../../etc/passwddisclosure
Exploit-Status
EPSS
0.10% (26% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-49415 is to immediately upgrade the FW Gallery plugin to version 8.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the vulnerable endpoint. Web Application Firewalls (WAFs) can be configured to block requests containing path traversal sequences (e.g., ../). Monitor access logs for suspicious file access attempts, particularly those involving directory traversal patterns. After upgrading, confirm the vulnerability is resolved by attempting to access a non-public file via the vulnerable endpoint and verifying that access is denied.
Actualice el plugin FW Gallery a la última versión disponible para solucionar la vulnerabilidad de recorrido de directorio. Verifique las actualizaciones disponibles en el panel de administración de WordPress o a través del repositorio de plugins de WordPress. Asegúrese de realizar una copia de seguridad completa del sitio antes de actualizar cualquier plugin.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-49415 is a HIGH severity vulnerability in FW Gallery for WordPress that allows attackers to read arbitrary files on the server.
You are affected if you are using FW Gallery versions 0.0.0 through 8.0.0. Upgrade to 8.0.1 to mitigate the risk.
Upgrade the FW Gallery plugin to version 8.0.1 or later. Consider WAF rules as a temporary workaround if upgrading is not immediately possible.
There are currently no known active exploits, but it's crucial to patch promptly to prevent potential future exploitation.
Refer to the official Fastw3b LLC website or WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.