Platform
wordpress
Component
wp-pipes
Fixed in
1.4.3
CVE-2025-48267 describes an Arbitrary File Access vulnerability discovered in WP Pipes, a WordPress plugin. This vulnerability allows attackers to read arbitrary files on the server by manipulating file paths, potentially exposing sensitive data like configuration files or database credentials. The vulnerability affects versions of WP Pipes prior to 1.4.3, and a patch is available in version 1.4.3.
The primary impact of CVE-2025-48267 is the potential for unauthorized access to sensitive files on the web server. An attacker could exploit this vulnerability to read configuration files containing database passwords, API keys, or other sensitive information. Successful exploitation could lead to complete compromise of the WordPress site and potentially the underlying server. While the vulnerability requires direct access to the WordPress site, the ease of path manipulation makes it a relatively low-skill attack. This is similar to other path traversal vulnerabilities where attackers leverage '..' sequences to navigate the file system.
CVE-2025-48267 was publicly disclosed on 2025-06-09. There are currently no known public proof-of-concept exploits available, but the ease of exploitation suggests that it is likely to be targeted. The vulnerability is not currently listed on the CISA KEV catalog. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Exploit Status
EPSS
0.10% (26% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-48267 is to immediately upgrade WP Pipes to version 1.4.3 or later. If upgrading is not immediately possible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious path traversal sequences (e.g., '../'). Restrict file permissions on sensitive files to prevent unauthorized access even if the vulnerability is exploited. Regularly scan your WordPress installation for vulnerable plugins using a security scanner.
Actualice el plugin WP Pipes a la última versión disponible para solucionar la vulnerabilidad de recorrido de directorio. Verifique las actualizaciones disponibles en el panel de administración de WordPress o en el repositorio de plugins de WordPress. Asegúrese de realizar una copia de seguridad de su sitio web antes de actualizar cualquier plugin.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-48267 is a HIGH severity vulnerability in WP Pipes allowing attackers to read arbitrary files on a WordPress server through path manipulation. It affects versions before 1.4.3.
You are affected if your WordPress site uses WP Pipes version 1.4.2 or earlier. Check your plugin versions and upgrade immediately.
Upgrade WP Pipes to version 1.4.3 or later. If immediate upgrade is not possible, implement WAF rules to block suspicious path traversal attempts.
While no public exploits are currently known, the ease of exploitation suggests it may be targeted. Monitor security advisories for updates.
Check the ThimPress website and WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.