Plattform
wordpress
Komponente
workreap
Behoben in
3.3.6
CVE-2025-59566 describes an Arbitrary File Access vulnerability discovered in the Workreap plugin for WordPress. This flaw allows attackers to potentially read sensitive files on the server by manipulating file paths. The vulnerability affects versions from 0.0.0 through 3.3.5, and a fix is available in version 3.3.6.
The Arbitrary File Access vulnerability in Workreap allows an attacker to bypass intended access controls and read arbitrary files on the server. This could expose sensitive data such as configuration files, database credentials, or even source code. Successful exploitation could lead to a complete compromise of the WordPress site and potentially the underlying server. The impact is amplified if the server hosts other applications or services, enabling lateral movement and expanding the blast radius of the attack.
CVE-2025-59566 was publicly disclosed on 2025-10-22. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The EPSS score is pending evaluation. It is recommended to prioritize patching due to the potential for sensitive data exposure.
WordPress websites utilizing the Workreap plugin, particularly those running older versions (0.0.0–3.3.5), are at risk. Shared hosting environments where plugin updates are managed centrally are also potentially vulnerable, as are websites with limited security configurations.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/workreap/*• generic web:
curl -I 'https://your-wordpress-site.com/wp-content/plugins/workreap/wp-content/../etc/passwd' # Attempt path traversaldisclosure
Exploit-Status
EPSS
0.07% (20% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-59566 is to immediately upgrade the Workreap plugin to version 3.3.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These may include restricting file access permissions on the server, implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., '../'), or carefully reviewing and sanitizing all user-supplied input. After upgrading, confirm the vulnerability is resolved by attempting to access a restricted file via a crafted URL; access should be denied.
Actualice el plugin Workreap a una versión posterior a 3.3.5 para mitigar la vulnerabilidad de recorrido de ruta. Verifique la página del plugin en WordPress.org para obtener la última versión disponible y siga las instrucciones de actualización proporcionadas por el desarrollador.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-59566 is a HIGH severity vulnerability in the Workreap plugin for WordPress that allows attackers to read arbitrary files on the server due to improper path validation.
You are affected if you are using Workreap plugin versions 0.0.0 through 3.3.5. Upgrade to version 3.3.6 to resolve the vulnerability.
Upgrade the Workreap plugin to version 3.3.6 or later. As a temporary workaround, implement a WAF rule to block path traversal attempts.
As of the public disclosure date, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants immediate attention.
Refer to the AmentoTech advisory and the WordPress plugin directory for updates and further information regarding CVE-2025-59566.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.