Platform
wordpress
Component
wp-editor
Fixed in
1.2.10
CVE-2025-3294 is a Directory Traversal vulnerability affecting the WP Editor plugin for WordPress. This vulnerability allows authenticated attackers with Administrator-level access to overwrite arbitrary files on the server, potentially leading to remote code execution. The vulnerability impacts versions 0.0.0 through 1.2.9.1. A patch is expected from the plugin developer.
The primary impact of CVE-2025-3294 is the potential for arbitrary file overwrites. An attacker, having administrator privileges on a WordPress site using the vulnerable plugin, can leverage this flaw to modify critical system files. Successful exploitation could lead to remote code execution (RCE) if the attacker can overwrite files that are subsequently executed by the web server (e.g., PHP files). This could grant the attacker complete control over the affected WordPress instance, enabling data theft, website defacement, or further malicious activities. The blast radius extends to the entire WordPress installation and any data stored within it.
CVE-2025-3294 was publicly disclosed on 2025-04-17. No public proof-of-concept (PoC) code is currently available, but the vulnerability's nature suggests that a PoC could be developed relatively easily. The EPSS score is likely to be medium, given the requirement for administrator privileges and the potential for RCE. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
2.33% (85% percentile)
CISA SSVC
CVSS Vector
The immediate mitigation for CVE-2025-3294 is to upgrade the WP Editor plugin to a patched version as soon as it becomes available. Until a patch is released, consider restricting file upload permissions for administrator users to only approved directories. Implement strict file access controls on the server to limit the impact of a potential file overwrite. Web Application Firewalls (WAFs) configured with rules to detect and block attempts to access files outside of designated directories can provide an additional layer of protection. Monitor WordPress logs for unusual file access patterns.
Actualice el plugin WP Editor a la última versión disponible para solucionar la vulnerabilidad de recorrido de directorio. Esta actualización corrige la falta de validación de la ruta del archivo, previniendo que atacantes autenticados puedan sobrescribir archivos arbitrarios en el servidor.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-3294 is a Directory Traversal vulnerability in the WP Editor WordPress plugin, allowing authenticated attackers to overwrite files.
If you are using the WP Editor plugin in WordPress versions 0.0.0–1.2.9.1, you are potentially affected by this vulnerability.
Upgrade the WP Editor plugin to the latest available version as soon as a patch is released by the plugin developer. Until then, restrict file upload permissions.
There is no confirmed active exploitation of CVE-2025-3294 at this time, but the vulnerability's nature makes it a potential target.
Refer to the plugin developer's website or the WordPress plugin repository for official advisories and updates regarding CVE-2025-3294.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.