Platform
wordpress
Component
seofy-core
Fixed in
1.6.9
CVE-2025-39473 describes a Path Traversal vulnerability within the Seofy Core component, allowing for PHP Local File Inclusion. This vulnerability enables attackers to potentially read arbitrary files on the server, leading to sensitive data exposure or, in some cases, remote code execution. The vulnerability impacts versions of Seofy Core from 0.0.0 up to and including 1.6.8, with a fix available in version 1.6.11.
The Path Traversal vulnerability in Seofy Core allows an attacker to bypass intended access restrictions and include arbitrary files on the server. By manipulating file paths, an attacker can potentially access sensitive configuration files, source code, or other critical data. Successful exploitation could lead to the disclosure of database credentials, API keys, or other confidential information. In a worst-case scenario, an attacker could leverage this vulnerability to execute arbitrary PHP code, effectively gaining control of the affected WordPress site. This is similar to other Local File Inclusion vulnerabilities where attackers leverage path manipulation to gain unauthorized access.
CVE-2025-39473 was publicly disclosed on 2025-06-09. The vulnerability's severity is rated HIGH (CVSS: 8.1). Currently, there are no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of this writing.
Exploit Status
EPSS
0.07% (20% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-39473 is to immediately upgrade Seofy Core to version 1.6.11 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing temporary workarounds. These may include restricting file access permissions on the server, implementing strict input validation to sanitize user-supplied file paths, and utilizing a Web Application Firewall (WAF) to filter out malicious requests. Monitor access logs for suspicious file inclusion attempts. After upgrading, confirm the fix by attempting to access a restricted file via the vulnerable endpoint and verifying that access is denied.
Update to version 1.6.11, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-39473 is a Path Traversal vulnerability in Seofy Core allowing PHP Local File Inclusion, potentially exposing sensitive data or enabling code execution.
You are affected if your WordPress site uses Seofy Core versions 0.0.0 through 1.6.8. Check your plugin versions and upgrade immediately.
Upgrade Seofy Core to version 1.6.11 or later. If immediate upgrade isn't possible, implement temporary workarounds like restricting file access and using a WAF.
As of the last update, there are no known public exploits or active campaigns targeting CVE-2025-39473, but vigilance is still advised.
Refer to the official Seofy Core project website or WordPress plugin repository for the latest advisory and security updates related to CVE-2025-39473.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.