Platform
wordpress
Component
image-shadow
Fixed in
1.1.1
CVE-2025-24765 describes an Arbitrary File Access vulnerability within the Image Shadow plugin for WordPress. This flaw allows attackers to potentially read sensitive files on the server by manipulating file paths. Versions of Image Shadow from 0.0.0 through 1.1.0 are affected. A fix is available in version 1.1.1.
The Arbitrary File Access vulnerability allows an attacker to bypass intended access controls and read files outside of the intended directory. This could expose sensitive data such as configuration files, database credentials, or even source code. Successful exploitation could lead to complete compromise of the WordPress instance and potentially the underlying server. The attacker could gain access to critical system information, escalate privileges, and execute arbitrary code depending on the files accessed and the server's configuration.
CVE-2025-24765 was publicly disclosed on 2025-06-27. As of this date, no public proof-of-concept exploits are known. The EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Exploit Status
EPSS
0.09% (26% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-24765 is to immediately upgrade the Image Shadow plugin to version 1.1.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Restrict file permissions on sensitive directories to prevent unauthorized access. Regularly review WordPress plugin installations and remove any unused or outdated plugins.
Actualice el plugin Image Shadow a la última versión disponible para solucionar la vulnerabilidad de recorrido de directorio. Verifique las actualizaciones del plugin directamente en el panel de administración de WordPress o a través del repositorio oficial de WordPress.org.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-24765 is a HIGH severity vulnerability allowing attackers to read files outside of intended directories in Image Shadow versions 0.0.0–1.1.0.
Yes, if you are using Image Shadow versions 0.0.0 through 1.1.0, you are affected by this vulnerability.
Upgrade the Image Shadow plugin to version 1.1.1 or later to resolve the vulnerability. Consider WAF rules as a temporary workaround.
As of 2025-06-27, no active exploitation has been confirmed, but monitoring is recommended.
Refer to the RobMarsh project's official website or WordPress plugin repository for the latest advisory and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.