Platform
wordpress
Component
dyapress
Fixed in
18.0.3
CVE-2025-30582 describes a Path Traversal vulnerability within the aytechnet DyaPress ERP/CRM system. This flaw allows attackers to exploit improper limitations on file paths, leading to PHP Local File Inclusion. Versions of DyaPress ERP/CRM from 0.0.0 through 18.0.2.0 are affected. A patch is available in version 18.0.3.
The Path Traversal vulnerability in DyaPress ERP/CRM allows an attacker to include arbitrary files from the server's filesystem. This can be exploited to read sensitive configuration files, source code, or even execute malicious PHP code. Successful exploitation could result in the disclosure of database credentials, API keys, or other confidential information. Furthermore, an attacker could potentially gain remote code execution by including a malicious PHP script, effectively compromising the entire server. The impact is amplified if the DyaPress ERP/CRM system is exposed directly to the internet or if it interacts with other sensitive systems.
CVE-2025-30582 was publicly disclosed on 2025-04-10. The vulnerability is considered HIGH severity due to the potential for remote code execution. No public proof-of-concept exploits have been identified as of this writing, but the nature of Path Traversal vulnerabilities makes them relatively easy to exploit. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.26% (49% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-30582 is to upgrade DyaPress ERP/CRM to version 18.0.3 or later, which contains the fix. If upgrading immediately is not possible, consider implementing temporary workarounds. Restrict access to the DyaPress ERP/CRM application through a Web Application Firewall (WAF) or proxy server, configuring rules to block requests containing path traversal sequences (e.g., ../). Review and harden file permissions on the server to limit the attacker's ability to read sensitive files, even if they manage to include them. Monitor system logs for suspicious activity, particularly attempts to access files outside of the expected directories.
Actualice el plugin DyaPress ERP/CRM a la última versión disponible para solucionar la vulnerabilidad de inclusión de archivos locales. Verifique la página del plugin en WordPress.org para obtener la versión más reciente y las instrucciones de actualización. Asegúrese de realizar una copia de seguridad de su sitio web antes de actualizar cualquier plugin.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-30582 is a Path Traversal vulnerability allowing attackers to include arbitrary files in DyaPress ERP/CRM, potentially leading to sensitive data exposure or code execution. It affects versions 0.0.0–18.0.2.0.
If you are using DyaPress ERP/CRM versions 0.0.0 through 18.0.2.0, you are potentially affected by this vulnerability. Upgrade to 18.0.3 or later to mitigate the risk.
The recommended fix is to upgrade DyaPress ERP/CRM to version 18.0.3 or later. As a temporary workaround, implement WAF rules to block path traversal attempts.
While no public exploits are currently known, the vulnerability's nature makes it easily exploitable, and active exploitation is possible.
Refer to the official DyaPress ERP/CRM security advisories on their website or through their support channels for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.