Platform
wordpress
Component
oxygen-mydata
Fixed in
1.0.65
CVE-2025-32631 describes an Arbitrary File Access vulnerability discovered in Oxygen MyData for WooCommerce, a WordPress plugin. This flaw allows attackers to potentially read sensitive files on the server by manipulating file paths. The vulnerability impacts versions from 0.0.0 through 1.0.64, and a patch is available in version 1.0.64.
The Arbitrary File Access vulnerability allows an attacker to bypass intended access controls and read files outside of the intended directory. Successful exploitation could expose sensitive data such as configuration files, database credentials, or even source code. While the plugin itself might not contain highly sensitive information, the server environment it runs within often does. An attacker could leverage this access to gain a deeper understanding of the server's infrastructure, potentially leading to further exploitation attempts. The impact is amplified if the server hosts other critical applications or data.
This vulnerability was publicly disclosed on 2025-04-11. There are currently no known public exploits or active campaigns targeting this specific vulnerability. The CVSS score of 8.6 (HIGH) indicates a significant potential for exploitation if left unaddressed. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.38% (59% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-32631 is to immediately upgrade Oxygen MyData for WooCommerce to version 1.0.64 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Additionally, restrict file permissions on the WordPress server to minimize the potential damage from a successful exploit. Regularly review WordPress plugin configurations and ensure they adhere to security best practices.
Update the Oxygen MyData for WooCommerce plugin to the latest available version to resolve the directory traversal vulnerability. This update corrects the inadequate pathname limitation, preventing arbitrary file deletion.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-32631 is a HIGH severity vulnerability allowing attackers to read files outside of intended directories in Oxygen MyData for WooCommerce due to improper path validation.
You are affected if you are using Oxygen MyData for WooCommerce versions 0.0.0 through 1.0.64. Upgrade to 1.0.64 or later to resolve the issue.
Upgrade Oxygen MyData for WooCommerce to version 1.0.64 or later. Consider WAF rules to block path traversal attempts as an interim measure.
As of now, there are no confirmed reports of active exploitation, but the HIGH severity score warrants immediate attention and patching.
Refer to the official Oxygen Suite website and WordPress plugin repository for the latest advisory and update information regarding CVE-2025-32631.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.