Platform
wordpress
Component
spice-blocks
Fixed in
2.0.8
CVE-2025-48130 describes an Arbitrary File Access vulnerability within Spice Blocks, a WordPress plugin. This flaw allows attackers to potentially read arbitrary files on the server by manipulating file paths. Versions of Spice Blocks from 0.0.0 through 2.0.7.4 are affected. A patch has been released in version 2.0.7.5.
The Arbitrary File Access vulnerability in Spice Blocks allows an attacker to bypass intended security restrictions and access files outside of the intended directory. This could lead to the exposure of sensitive data such as configuration files, database credentials, or even source code. Successful exploitation requires an attacker to interact with the vulnerable plugin, potentially through crafted requests or file uploads. The blast radius extends to any data accessible on the server's file system, depending on the attacker's ability to manipulate file paths.
CVE-2025-48130 was publicly disclosed on 2025-06-09. Currently, there are no known public proof-of-concept exploits available. The EPSS score is pending evaluation. It is recommended to prioritize patching due to the potential for sensitive data exposure.
Exploit Status
EPSS
0.13% (32% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-48130 is to immediately upgrade Spice Blocks to version 2.0.7.5 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include restricting file upload permissions for the plugin, implementing stricter input validation to prevent path traversal attempts, and using a Web Application Firewall (WAF) to filter malicious requests. Monitor access logs for suspicious file access attempts. After upgrading, confirm the vulnerability is resolved by attempting a path traversal request and verifying that access is denied.
Update to version 2.0.7.5, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-48130 is a HIGH severity vulnerability in Spice Blocks for WordPress that allows attackers to read arbitrary files on the server.
Yes, if you are using Spice Blocks versions 0.0.0 through 2.0.7.4, you are affected by this vulnerability.
Upgrade Spice Blocks to version 2.0.7.5 or later to resolve the vulnerability. Consider temporary workarounds if immediate upgrading is not possible.
As of the current disclosure date, there are no confirmed reports of active exploitation, but proactive patching is recommended.
Refer to the Spice Blocks official website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.