Platform
wordpress
Component
fw-gallery
Fixed in
8.0.1
CVE-2025-49415 describes an Arbitrary File Access vulnerability within the FW Gallery plugin for WordPress. This flaw allows attackers to potentially read sensitive files from the server by manipulating file paths. The vulnerability impacts versions of FW Gallery from 0.0.0 up to and including 8.0.0. A patch is available in version 8.0.1.
This Arbitrary File Access vulnerability allows an attacker to bypass intended access controls and retrieve files from the web server's file system. Successful exploitation could lead to the exposure of sensitive data such as configuration files, database credentials, or even source code. Depending on the files accessible, an attacker could gain a deeper understanding of the application's architecture, identify further vulnerabilities, or compromise the entire system. The potential blast radius extends to any data stored on the server accessible through this path traversal.
CVE-2025-49415 was publicly disclosed on 2025-06-17. Currently, there are no known public proof-of-concept exploits available. The EPSS score is pending evaluation. It is recommended to prioritize patching due to the potential for sensitive data exposure.
Exploit Status
EPSS
0.10% (26% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-49415 is to immediately upgrade the FW Gallery plugin to version 8.0.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Carefully review file permissions on the server to ensure that sensitive files are not accessible by the web server user. Monitor access logs for suspicious requests attempting to access files outside of the intended directory.
Actualice el plugin FW Gallery a la última versión disponible para solucionar la vulnerabilidad de recorrido de directorio. Verifique las actualizaciones disponibles en el panel de administración de WordPress o a través del repositorio de plugins de WordPress. Asegúrese de realizar una copia de seguridad completa del sitio antes de actualizar cualquier plugin.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-49415 is a HIGH severity vulnerability in FW Gallery for WordPress that allows attackers to read arbitrary files on the server.
You are affected if you are using FW Gallery versions 0.0.0 through 8.0.0. Upgrade to 8.0.1 to mitigate the risk.
Upgrade the FW Gallery plugin to version 8.0.1 or later. Consider WAF rules as a temporary workaround if upgrading is not immediately possible.
There are currently no known active exploits, but it's crucial to patch promptly to prevent potential future exploitation.
Refer to the official Fastw3b LLC website or WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.