Platform
wordpress
Component
aviation-weather-from-noaa
Fixed in
0.7.3
CVE-2025-28980 describes an Arbitrary File Access vulnerability discovered in the Aviation Weather from NOAA WordPress plugin. This flaw allows attackers to potentially read arbitrary files on the server due to improper input validation. Versions 0.0.0 through 0.7.2 are affected. A patch has been released in version 0.7.3.
The vulnerability stems from a path traversal flaw, allowing an attacker to manipulate file paths and access files outside of the intended directory. Successful exploitation could lead to the disclosure of sensitive information such as configuration files, database credentials, or source code. Depending on the server's configuration and the files accessible, this could enable further compromise, including code execution or data exfiltration. The impact is amplified if the server hosts other sensitive applications or data.
This vulnerability was publicly disclosed on 2025-07-04. Currently, there are no known public exploits or active campaigns targeting this specific flaw. It is not listed on the CISA KEV catalog at the time of writing. The ease of exploitation is relatively high due to the path traversal nature of the vulnerability, making it a potential target for opportunistic attackers.
Exploit Status
EPSS
0.08% (25% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the Aviation Weather from NOAA plugin to version 0.7.3 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Restrict file permissions on the server to minimize the potential impact of file disclosure. Regularly review server logs for suspicious activity, particularly requests containing unusual file paths. After upgrade, confirm the vulnerability is resolved by attempting to access a non-existent file via a path traversal request.
Actualice el plugin Aviation Weather from NOAA a la última versión disponible para solucionar la vulnerabilidad de recorrido de directorio. Esta actualización corrige la forma en que el plugin maneja las rutas de archivo, evitando el acceso no autorizado a archivos sensibles.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-28980 is a HIGH severity vulnerability in Aviation Weather from NOAA allowing attackers to read arbitrary files due to a path traversal flaw. It affects versions 0.0.0 through 0.7.2.
If you are using Aviation Weather from NOAA version 0.0.0 to 0.7.2, you are affected by this vulnerability and should upgrade immediately.
Upgrade the Aviation Weather from NOAA plugin to version 0.7.3 or later. Consider WAF rules as a temporary mitigation.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Check the WordPress plugin repository and the developer's website for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.