Platform
wordpress
Component
wpmastertoolkit
Fixed in
1.10.0
2.5.4
CVE-2025-3300 describes an Arbitrary File Access vulnerability discovered in the WPMasterToolKit (WPMTK) – All in one plugin for WordPress. This vulnerability allows authenticated administrators to read and modify arbitrary files on the server, potentially leading to data breaches and system compromise. The vulnerability affects versions 1.0.0 through 1.15.0, and a fix is available in version 2.5.4.
An attacker exploiting CVE-2025-3300 could gain unauthorized access to sensitive files on the WordPress server. This includes configuration files containing database credentials, source code with API keys, or even user data. Successful exploitation could lead to complete server compromise, data exfiltration, and potential disruption of services. The ability to modify arbitrary files also presents a risk of malicious code injection, allowing attackers to escalate their privileges and maintain persistent access. This vulnerability is particularly concerning given the popularity of WordPress and the potential for widespread exploitation.
CVE-2025-3300 was publicly disclosed on April 24, 2025. There are currently no known public exploits or active campaigns targeting this vulnerability. The vulnerability's impact is limited to authenticated administrators, which reduces the immediate risk compared to vulnerabilities requiring no authentication. Its inclusion in the WordPress ecosystem warrants careful attention and prompt remediation.
Exploit Status
EPSS
1.27% (79% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-3300 is to immediately upgrade the WPMasterToolKit plugin to version 2.5.4 or later. If an immediate upgrade is not possible due to compatibility issues or testing requirements, consider restricting administrator access to the plugin's functionalities. Implement strict file access controls on the WordPress server to limit the potential impact of a successful attack. Regularly review server logs for suspicious activity, particularly attempts to access files outside of the plugin's intended directories. After upgrading, verify the fix by attempting to access a restricted file via the vulnerable endpoint and confirming that access is denied.
Actualice el plugin WPMasterToolKit (WPMTK) – All in one plugin a la versión 2.5.4 o superior para mitigar la vulnerabilidad de Directory Traversal. Esta actualización corrige la forma en que el plugin maneja las rutas de archivos, previniendo el acceso no autorizado a archivos sensibles en el servidor. Asegúrese de realizar una copia de seguridad de su sitio web antes de actualizar el plugin.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-3300 is a HIGH severity vulnerability in WPMasterToolKit allowing authenticated admins to read/modify arbitrary files, potentially exposing sensitive data.
You are affected if your WordPress site uses WPMasterToolKit version 1.0.0–1.15.0. Check your plugin version and upgrade if necessary.
Upgrade WPMasterToolKit to version 2.5.4 or later. If immediate upgrade is not possible, restrict admin access and implement file access controls.
Currently, there are no known public exploits or active campaigns targeting CVE-2025-3300, but prompt remediation is still recommended.
Refer to the WPMasterToolKit official website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.