HIGHCVE-2025-30567CVSS 7.5

CVE-2025-30567: Path Traversal in WP01 Plugin

Platform

wordpress

Component

wp01

Fixed in

2.6.3

AI Confidence: highNVDEPSS 27.2%Reviewed: May 2026

View on NVD

Save

CVE-2025-30567 describes an Arbitrary File Access vulnerability within the WP01 WordPress plugin. This flaw allows attackers to potentially read sensitive files on the server by manipulating file paths. The vulnerability impacts versions 0.0.0 through 2.6.2 of the WP01 plugin, and a fix is available in version 2.6.3.

Impact and Attack Scenarios

The Arbitrary File Access vulnerability allows an attacker to bypass intended access controls and read arbitrary files on the server hosting the WordPress site. This could expose sensitive data such as configuration files, database credentials, or even source code. Successful exploitation could lead to complete compromise of the web server and potentially other systems on the network if the attacker can leverage the exposed data for further attacks. The impact is amplified if the server hosts multiple websites or applications, increasing the potential blast radius.

Exploitation Context

CVE-2025-30567 was publicly disclosed on 2025-03-25. Currently, there are no known public proof-of-concept exploits available. The EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports1 threat report

EPSS

27.19% (96% percentile)

CISA SSVC

Exploitationnone

Automatableyes

Technical Impact

Affected Software

Componentwp01

VendorWP01

Affected rangeFixed in

0.0.0 – 2.6.22.6.3

Weakness Classification (CWE)

CWE-22

Timeline

Reserved2025-03-24
Published2025-03-25
Modified2026-04-28
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation for CVE-2025-30567 is to immediately upgrade the WP01 plugin to version 2.6.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Additionally, restrict file permissions on the WordPress installation to minimize the potential damage if the vulnerability is exploited. Monitor WordPress access logs for suspicious requests containing path traversal attempts.

How to fix

Actualice el plugin WP01 a la versión 2.6.3 o superior para mitigar la vulnerabilidad de recorrido de ruta. Esta actualización corrige la falta de limitación adecuada de la ruta de acceso, previniendo el acceso no autorizado a archivos sensibles.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-30567 — Arbitrary File Access in WP01?

CVE-2025-30567 is a vulnerability in the WP01 WordPress plugin that allows attackers to read arbitrary files on the server via path traversal.

Am I affected by CVE-2025-30567 in WP01?

You are affected if you are using WP01 versions 0.0.0 through 2.6.2. Upgrade to 2.6.3 or later to resolve the issue.

How do I fix CVE-2025-30567 in WP01?

Upgrade the WP01 plugin to version 2.6.3 or later. As a temporary workaround, implement a WAF rule to block path traversal attempts.

Is CVE-2025-30567 being actively exploited?

Currently, there are no confirmed reports of active exploitation, but monitoring is advised.

Where can I find the official WP01 advisory for CVE-2025-30567?

Refer to the WP01 plugin's official website or WordPress plugin repository for the latest security advisory and update information.