Platform
wordpress
Component
estatik
Fixed in
4.3.1
CVE-2025-26905 describes a Path Traversal vulnerability within the Estatik WordPress plugin. This flaw allows attackers to potentially include arbitrary files on the server, leading to sensitive data exposure or even remote code execution. The vulnerability impacts versions from 0.0.0 up to and including 4.3.0. A fix is available via plugin update.
The core of this vulnerability lies in the improper handling of file paths within the Estatik plugin. An attacker can craft malicious requests that manipulate the pathname, bypassing intended restrictions and accessing files outside the designated directory. Successful exploitation allows for PHP Local File Inclusion (LFI), meaning an attacker can include arbitrary PHP files from the server's filesystem. This could expose sensitive configuration files, database credentials, or even allow the attacker to execute arbitrary code if they can upload a malicious PHP file. The blast radius extends to the entire WordPress installation, as the attacker could potentially gain control of the web server.
CVE-2025-26905 was publicly disclosed on 2025-02-25. While no public proof-of-concept (PoC) code has been widely released, the Path Traversal vulnerability is a well-understood attack vector, and the availability of LFI can be easily leveraged. The EPSS score is likely to be medium, reflecting the ease of exploitation and potential impact. Monitor WordPress security forums and vulnerability databases for any signs of active exploitation.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-26905 is to immediately update the Estatik plugin to a version that addresses the vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the affected plugin functionality. Web Application Firewalls (WAFs) can be configured with rules to block requests containing suspicious path traversal patterns, such as double dots (..) or absolute paths. Thoroughly review the Estatik plugin's configuration and ensure that file upload directories are properly secured and that file extensions are strictly validated. After upgrading, verify the fix by attempting to access files outside the intended directory via a web browser or a tool like curl.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-26905 is a Path Traversal vulnerability affecting the Estatik WordPress plugin, allowing attackers to potentially include arbitrary files on the server.
If you are using Estatik WordPress plugin versions 0.0.0 through 4.3.0, you are potentially affected by this vulnerability.
The recommended fix is to update the Estatik plugin to a patched version. If immediate upgrade is not possible, implement temporary restrictions and WAF rules.
While no widespread exploitation has been confirmed, the vulnerability is well-understood and could be exploited, so vigilance is advised.
Refer to the Estatik plugin's official website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.