HIGHCVE-2025-25130CVSS 7.5

CVE-2025-25130: Path Traversal in Delete Comments By Status

Platform

wordpress

Component

delete-comments-by-status

Fixed in

2.1.2

AI Confidence: highNVDEPSS 0.2%Reviewed: May 2026

View on NVD

Save

A Path Traversal vulnerability has been identified in the Delete Comments By Status plugin for WordPress. This flaw allows attackers to potentially access sensitive files and directories on the server by manipulating file paths. The vulnerability affects versions from 0.0.0 up to and including 2.1.1, and a fix is available in version 2.1.2.

Impact and Attack Scenarios

The Path Traversal vulnerability in Delete Comments By Status allows an attacker to bypass intended access restrictions and read files outside of the webroot. This could expose sensitive configuration files, source code, database credentials, or other confidential data. Successful exploitation could lead to complete compromise of the WordPress instance and potentially the underlying server. The attacker could gain access to critical system files, leading to data breaches, system modifications, or even remote code execution if combined with other vulnerabilities.

Exploitation Context

This vulnerability was publicly disclosed on March 3, 2025. No public proof-of-concept exploits are currently known. The CVSS score of 7.5 (High) indicates a significant risk. It is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.19% (41% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impacttotal

CVSS Vector

Affected Software

Componentdelete-comments-by-status

VendorShah Alom

Affected rangeFixed in

0.0.0 – 2.1.12.1.2

Weakness Classification (CWE)

CWE-23

Timeline

Reserved2025-02-03
Published2025-03-03
Modified2026-04-28
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2025-25130 is to immediately upgrade the Delete Comments By Status plugin to version 2.1.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious path traversal sequences (e.g., ../). Carefully review file permissions to ensure that sensitive files are not accessible from the webroot. Monitor WordPress logs for unusual file access attempts.

How to fix

Actualice el plugin Delete Comments By Status a la última versión disponible para mitigar la vulnerabilidad de Path Traversal.  Verifique la página del plugin en wordpress.org para obtener la versión más reciente y las instrucciones de actualización.  Asegúrese de realizar una copia de seguridad de su sitio web antes de actualizar cualquier plugin.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-25130 — Path Traversal in Delete Comments By Status?

CVE-2025-25130 is a Path Traversal vulnerability affecting the Delete Comments By Status WordPress plugin, allowing attackers to read arbitrary files.

Am I affected by CVE-2025-25130 in Delete Comments By Status?

You are affected if you are using Delete Comments By Status versions 0.0.0 through 2.1.1. Upgrade to 2.1.2 or later to mitigate the risk.

How do I fix CVE-2025-25130 in Delete Comments By Status?

Upgrade the Delete Comments By Status plugin to version 2.1.2 or later. Consider WAF rules as a temporary workaround if immediate upgrade is not possible.

Is CVE-2025-25130 being actively exploited?

There are currently no reports of active exploitation, but the vulnerability is publicly known and poses a significant risk.

Where can I find the official Delete Comments By Status advisory for CVE-2025-25130?

Check the Delete Comments By Status plugin page on WordPress.org for updates and security advisories.

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Search CVEs

Scan free

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: High — complete crash or resource exhaustion. Full denial of service.