Platform
wordpress
Component
store-locator
Fixed in
3.98.11
CVE-2025-23422 describes a Path Traversal vulnerability within the moaluko Store Locator plugin for WordPress. This flaw allows attackers to potentially include arbitrary files on the server, leading to sensitive data exposure or even remote code execution. The vulnerability impacts versions from 0.0.0 up to and including 3.98.10, and a patch is available in version 3.98.11.
The Path Traversal vulnerability in moaluko Store Locator allows an attacker to bypass intended access restrictions and include files from outside the intended directory. Successful exploitation could lead to the disclosure of sensitive configuration files, source code, or other critical system data. In a worst-case scenario, an attacker could leverage this vulnerability to execute arbitrary PHP code on the server, effectively gaining control of the WordPress instance. This is similar to other Local File Inclusion (LFI) vulnerabilities where attackers exploit insufficient input validation to read arbitrary files. The potential blast radius extends to any data accessible through the web server, including user data, database credentials, and application logic.
CVE-2025-23422 was publicly disclosed on January 24, 2025. The vulnerability's severity is rated HIGH (CVSS 7.5). Currently, there are no known public exploits or active campaigns targeting this specific vulnerability, but the nature of Path Traversal vulnerabilities makes them attractive to attackers. It is not listed on the CISA KEV catalog at the time of writing.
Exploit Status
EPSS
0.17% (38% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-23422 is to immediately upgrade the moaluko Store Locator plugin to version 3.98.11 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Additionally, restrict file permissions on sensitive files to prevent unauthorized access. Monitor WordPress access logs for suspicious requests containing path traversal attempts. While not a direct fix, ensuring the WordPress installation itself is up-to-date with the latest security patches can reduce the overall attack surface.
Actualice el plugin Store Locator a una versión corregida. Consulte las notas de la versión del plugin para obtener instrucciones específicas sobre cómo actualizar y mitigar la vulnerabilidad de inclusión de archivos locales. Asegúrese de realizar una copia de seguridad de su sitio web antes de realizar cualquier actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-23422 is a Path Traversal vulnerability in the moaluko Store Locator WordPress plugin, allowing attackers to potentially include arbitrary files and access sensitive data.
You are affected if you are using moaluko Store Locator versions 0.0.0 through 3.98.10. Upgrade to 3.98.11 or later to mitigate the risk.
The recommended fix is to upgrade the moaluko Store Locator plugin to version 3.98.11 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.
As of the current date, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the official moaluko Store Locator website or WordPress plugin repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.