Plattform
wordpress
Komponente
bm-builder
Behoben in
3.16.4
CVE-2025-59002 identifies an Arbitrary File Access vulnerability within the BM Content Builder plugin for WordPress. This flaw allows attackers to potentially read sensitive files on the server by manipulating file paths. The vulnerability impacts versions from 0.0.0 through 3.16.3.3, and a patch is available in version 3.16.3.3.
The Arbitrary File Access vulnerability allows an attacker to bypass intended access controls and read arbitrary files on the server hosting the BM Content Builder plugin. This could expose sensitive data such as configuration files, database credentials, or even source code. Successful exploitation could lead to complete compromise of the WordPress instance, enabling attackers to steal data, modify content, or execute malicious code. The potential blast radius extends to any data accessible by the web server process, and could impact users accessing the compromised WordPress site.
CVE-2025-59002 was publicly disclosed on 2025-09-26. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the path traversal nature of the vulnerability makes it likely that such exploits will emerge.
WordPress sites utilizing the BM Content Builder plugin, particularly those running older versions (0.0.0–3.16.3.3), are at risk. Shared hosting environments where users have limited control over plugin updates are also particularly vulnerable. Sites with sensitive data stored in configuration files or accessible through the WordPress file system are at higher risk.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/bm-builder/• generic web:
curl -I 'http://your-wordpress-site.com/wp-content/plugins/bm-builder/../../../../etc/passwd' # Check for file accessdisclosure
Exploit-Status
EPSS
0.06% (18% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-59002 is to immediately upgrade the BM Content Builder plugin to version 3.16.3.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Additionally, restrict file permissions on the WordPress installation to minimize the potential impact of a successful exploit. After upgrading, confirm the vulnerability is resolved by attempting to access a non-public file via a crafted URL.
Actualice el plugin BM Content Builder a la versión 3.16.3.4 o superior para mitigar la vulnerabilidad de recorrido de ruta. Verifique las fuentes oficiales del plugin o el repositorio de WordPress para obtener la última versión. Asegúrese de realizar una copia de seguridad de su sitio web antes de actualizar cualquier plugin.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-59002 is a HIGH severity vulnerability in BM Content Builder allowing attackers to read arbitrary files via path traversal. It affects versions 0.0.0–3.16.3.3.
You are affected if your WordPress site uses BM Content Builder versions 0.0.0 through 3.16.3.3. Check your plugin versions immediately.
Upgrade BM Content Builder to version 3.16.3.3 or later. If immediate upgrade is not possible, implement WAF rules to block path traversal attempts.
There is currently no confirmed active exploitation of CVE-2025-59002, but the vulnerability's nature makes it a potential target.
Refer to the BM Content Builder official website or WordPress plugin repository for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.