Platform
wordpress
Component
buddypress-xprofile-image-field
Fixed in
3.0.2
CVE-2025-48158 describes an Arbitrary File Access vulnerability within the BuddyPress XProfile Custom Image Field plugin. This flaw allows attackers to potentially read arbitrary files on the server by manipulating file paths. The vulnerability impacts versions from 0.0.0 up to and including 3.0.1. A patch has been released in version 3.0.2.
The Arbitrary File Access vulnerability allows an attacker to bypass intended access controls and read files outside of the intended directory. Successful exploitation could lead to the exposure of sensitive data such as configuration files, database credentials, or even source code. While direct code execution is not immediately possible, the information gained from file disclosure could be used to identify and exploit other vulnerabilities within the WordPress environment. This is a significant risk, especially on shared hosting environments where multiple websites share the same server resources.
This CVE was published on 2025-08-20. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability's severity is considered HIGH due to the potential for sensitive data disclosure. It is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed, but the ease of exploitation makes it a potential target.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade the BuddyPress XProfile Custom Image Field plugin to version 3.0.2 or later. If upgrading is not immediately feasible, implement temporary workarounds to restrict file access. This can be achieved by carefully validating user-supplied file paths and ensuring that the plugin only accesses files within the designated upload directory. Consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Regularly review file permissions to ensure that only necessary files are accessible.
Actualice el plugin BuddyPress XProfile Custom Image Field a la versión 3.0.2 o superior para mitigar la vulnerabilidad de recorrido de ruta. Esta actualización aborda la falta de limitación adecuada de la ruta de acceso, previniendo la eliminación arbitraria de archivos.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-48158 is a HIGH severity vulnerability allowing attackers to read arbitrary files on a WordPress server through path traversal in the BuddyPress XProfile Custom Image Field plugin.
You are affected if you are using BuddyPress XProfile Custom Image Field versions 0.0.0 through 3.0.1. Upgrade to 3.0.2 or later to resolve the issue.
Upgrade the BuddyPress XProfile Custom Image Field plugin to version 3.0.2 or later. As a temporary workaround, restrict file access and validate user input.
Active exploitation is not currently confirmed, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the official BuddyPress XProfile Custom Image Field plugin documentation and WordPress security announcements for the latest advisory information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.