Platform
wordpress
Component
images-optimizer
Fixed in
3.3.1
CVE-2025-25163 describes an Arbitrary File Access vulnerability discovered in the A/B Image Optimizer WordPress plugin. This flaw allows attackers to potentially read arbitrary files on the server by manipulating file paths. Versions of the plugin from 0.0.0 up to and including 3.3 are affected. A patch has been released in version 3.3.1.
The Arbitrary File Access vulnerability allows an attacker to bypass intended access restrictions and read files outside of the intended directory. Successful exploitation could lead to the exposure of sensitive information such as configuration files, database credentials, or even source code. While direct code execution is not possible, the information gained could be used to identify and exploit other vulnerabilities within the WordPress environment or the server itself. This is similar to other path traversal vulnerabilities where attackers leverage '..' sequences to navigate the file system.
This vulnerability was publicly disclosed on 2025-02-07. There are currently no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 7.5 (High) indicates a significant risk, and it is recommended to apply the patch as soon as possible. It is not listed on the CISA KEV catalog at the time of writing.
Exploit Status
EPSS
25.69% (96% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the A/B Image Optimizer plugin to version 3.3.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the plugin's file upload functionality. Implement strict file access controls on the WordPress server to limit the impact of a potential exploit. Regularly scan the WordPress installation for vulnerabilities using a reputable security plugin.
Actualice el plugin A/B Image Optimizer a la última versión disponible para solucionar la vulnerabilidad de recorrido de directorio. Verifique las actualizaciones del plugin directamente en el panel de administración de WordPress o a través del repositorio de plugins de WordPress. Asegúrese de realizar una copia de seguridad completa de su sitio web antes de aplicar cualquier actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-25163 is a High severity vulnerability in the A/B Image Optimizer WordPress plugin that allows attackers to read arbitrary files on the server through path traversal.
You are affected if you are using A/B Image Optimizer versions 0.0.0 through 3.3. Upgrade to 3.3.1 or later to mitigate the risk.
Upgrade the A/B Image Optimizer plugin to version 3.3.1 or later. If immediate upgrade is not possible, restrict file upload access.
As of now, there are no confirmed reports of active exploitation, but the High severity score warrants immediate action.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.