Platform
wordpress
Component
fwdevp
Fixed in
10.0.1
CVE-2025-28955 describes an Arbitrary File Access vulnerability discovered in the Easy Video Player Wordpress & WooCommerce plugin developed by FWDesign. This vulnerability allows attackers to potentially read sensitive files on the server by manipulating file paths. Versions of the plugin from 0.0.0 through 10.0 are affected. A patch has been released in version 10.0.1.
The Arbitrary File Access vulnerability allows an attacker to bypass intended access restrictions and read arbitrary files on the server hosting the WordPress site. This could expose sensitive data such as configuration files, database credentials, or even source code. Successful exploitation could lead to complete compromise of the WordPress installation and potentially the underlying server. While the description doesn't specify a direct remote code execution path, the ability to read sensitive files could be leveraged to discover further vulnerabilities or credentials for privilege escalation.
CVE-2025-28955 was publicly disclosed on 2025-07-16. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the path traversal nature of the vulnerability makes it likely that such exploits will emerge.
Exploit Status
EPSS
0.08% (23% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-28955 is to immediately upgrade the Easy Video Player Wordpress & WooCommerce plugin to version 10.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Carefully review file permissions on the WordPress server to ensure that the web server user has minimal necessary access. Monitor WordPress access logs for suspicious requests containing path traversal attempts.
Actualice el plugin Easy Video Player Wordpress & WooCommerce a la última versión disponible para solucionar la vulnerabilidad de recorrido de directorio. Verifique las actualizaciones en el panel de administración de WordPress o en el repositorio de plugins de WordPress. Asegúrese de realizar una copia de seguridad del sitio antes de actualizar.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-28955 is a HIGH severity vulnerability in Easy Video Player Wordpress & WooCommerce allowing attackers to read arbitrary files via path traversal. It affects versions 0.0.0–10.0.
If you are using Easy Video Player Wordpress & WooCommerce versions 0.0.0 through 10.0, you are affected by this vulnerability.
Upgrade to version 10.0.1 or later to resolve the Arbitrary File Access vulnerability. Consider WAF rules as a temporary mitigation.
There is currently no evidence of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the FWDesign website and WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.