Platform
wordpress
Component
wolf
Fixed in
1.0.9
CVE-2025-24605 describes a Path Traversal vulnerability discovered in the WOLF bulk-editor, a WordPress plugin. This vulnerability allows unauthorized access to sensitive files on the server. Versions of WOLF bulk-editor from 0.0.0 up to and including 1.0.8.5 are affected. A patch is available in version 1.0.9.
The Path Traversal vulnerability in WOLF bulk-editor allows an attacker to bypass intended access restrictions and retrieve files from directories outside of the webroot. This could expose sensitive configuration files, database credentials, or even source code. Successful exploitation requires an attacker to interact with the vulnerable plugin, potentially through crafted requests. The blast radius extends to any data accessible by the web server process, potentially including user data if stored locally. While no direct precedent is immediately obvious, similar Path Traversal vulnerabilities have historically led to complete server compromise.
CVE-2025-24605 was publicly disclosed on 2025-02-03. No known public exploits or active campaigns targeting this vulnerability have been reported as of this writing. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not yet available, but the relatively simple nature of Path Traversal vulnerabilities suggests that a PoC may emerge soon.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-24605 is to immediately upgrade the WOLF bulk-editor plugin to version 1.0.9 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting access to the plugin's directory through web server configuration (e.g., .htaccess rules in Apache, or equivalent in Nginx). Implement a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). After upgrading, verify the fix by attempting to access files outside the intended directory via the plugin’s interface; access should be denied.
Actualice el plugin WOLF a una versión corregida. Consulte las notas de la versión del plugin o el sitio web del desarrollador para obtener más información sobre las versiones disponibles y las instrucciones de actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-24605 is a Path Traversal vulnerability affecting the WOLF bulk-editor WordPress plugin, allowing attackers to access arbitrary files on the server.
You are affected if you are using WOLF bulk-editor versions 0.0.0 through 1.0.8.5. Upgrade to 1.0.9 or later to mitigate the risk.
Upgrade the WOLF bulk-editor plugin to version 1.0.9 or later. If upgrading is not possible, restrict access to the plugin directory and implement WAF rules.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's nature suggests potential for future attacks.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.