Plattform
wordpress
Komponente
pt-luxa-addons
Behoben in
1.2.3
CVE-2025-60217 describes an Arbitrary File Access vulnerability within the ypromo PT Luxa Addons WordPress plugin. This flaw allows attackers to potentially read sensitive files on the server by manipulating file paths. Versions 0.0.0 through 1.2.2 are affected, and a fix is available in version 1.2.3.
The Arbitrary File Access vulnerability allows an attacker to bypass intended access restrictions and read arbitrary files on the server hosting the WordPress site. This could expose sensitive data such as configuration files, database credentials, or even source code. Successful exploitation could lead to complete compromise of the web server and potentially the entire network if the server has access to other internal resources. The ability to read configuration files could reveal further vulnerabilities or credentials for other systems, enabling lateral movement. This is a high-impact vulnerability due to the potential for data exfiltration and system compromise.
CVE-2025-60217 was publicly disclosed on 2025-10-22. Currently, there are no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The vulnerability's ease of exploitation (path traversal is a well-understood attack vector) suggests it could become a target for opportunistic attackers.
Websites utilizing the ypromo PT Luxa Addons plugin, particularly those running older, unpatched versions (0.0.0–1.2.2), are at significant risk. Shared hosting environments where multiple websites share the same server are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/pt-luxa-addons/*• generic web:
curl -I https://example.com/wp-content/plugins/pt-luxa-addons/../../../../etc/passwd• wordpress / composer / npm:
wp plugin list | grep 'pt-luxa-addons'• wordpress / composer / npm:
wp plugin update pt-luxa-addonsdisclosure
Exploit-Status
EPSS
0.05% (16% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-60217 is to immediately upgrade the PT Luxa Addons plugin to version 1.2.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Additionally, restrict file permissions on the WordPress server to minimize the impact of a successful exploit. Regularly review WordPress plugin installations and remove any unused or outdated plugins to reduce the attack surface. Monitor web server access logs for suspicious requests containing path traversal attempts.
Actualice el plugin PT Luxa Addons a la última versión disponible para mitigar la vulnerabilidad de recorrido de directorio. Verifique las actualizaciones del plugin directamente en el panel de administración de WordPress o a través del repositorio de plugins de WordPress. Asegúrese de realizar una copia de seguridad completa del sitio antes de actualizar cualquier plugin.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-60217 is a HIGH severity vulnerability in the PT Luxa Addons WordPress plugin allowing attackers to read arbitrary files via path traversal. Versions 0.0.0–1.2.2 are affected.
You are affected if your WordPress site uses the PT Luxa Addons plugin and is running version 0.0.0 through 1.2.2. Check your plugin versions immediately.
Upgrade the PT Luxa Addons plugin to version 1.2.3 or later. If immediate upgrade isn't possible, implement WAF rules to block path traversal attempts.
Currently, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the ypromo website or WordPress plugin repository for the official advisory and update information regarding CVE-2025-60217.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.