HIGHCVE-2025-53588CVSS 7.7

CVE-2025-53588: Arbitrary File Access in UPC/EAN Code Generator

Platform

wordpress

Component

upc-ean-barcode-generator

Fixed in

2.0.3

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

View on NVD

Save

CVE-2025-53588 identifies an Arbitrary File Access vulnerability within the UPC/EAN/GTIN Code Generator, a WordPress plugin. This flaw allows attackers to potentially read sensitive files from the server due to improper input validation. Versions 0.0.0 through 2.0.2 are affected. A fix is available in version 2.0.3.

Impact and Attack Scenarios

The vulnerability stems from a path traversal flaw, enabling an attacker to manipulate file paths and access files outside the intended directory. Successful exploitation could lead to the disclosure of sensitive information such as configuration files, database credentials, or even source code. Depending on the files accessible, this could facilitate further attacks, including privilege escalation or data breaches. The impact is amplified if the server hosts other critical applications or data.

Exploitation Context

This CVE was published on 2025-08-28. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 7.7 indicates a high probability of exploitation if the vulnerability is exposed. It is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.06% (18% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impactpartial

CVSS Vector

Affected Software

Componentupc-ean-barcode-generator

VendorDmitry V. (CEO of "UKR Solution")

Affected rangeFixed in

0.0.0 – 2.0.22.0.3

Weakness Classification (CWE)

CWE-22

Timeline

Reserved2025-07-03
Published2025-08-28
Modified2026-04-28
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation is to immediately upgrade the UPC/EAN/GTIN Code Generator plugin to version 2.0.3 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Additionally, restrict file permissions on the WordPress installation to minimize the potential damage from a successful exploit. Regularly review WordPress plugin installations and remove any unused or outdated plugins.

How to fix

Actualice el plugin UPC/EAN/GTIN Code Generator a la última versión disponible para solucionar la vulnerabilidad de recorrido de ruta. Esta actualización debe mitigar el riesgo de eliminación arbitraria de archivos en su sitio de WordPress.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-53588 — Arbitrary File Access in UPC/EAN Code Generator?

CVE-2025-53588 is a HIGH severity vulnerability allowing attackers to read arbitrary files on a WordPress server due to a path traversal flaw in the UPC/EAN/GTIN Code Generator plugin.

Am I affected by CVE-2025-53588 in UPC/EAN Code Generator?

You are affected if you are using UPC/EAN/GTIN Code Generator versions 0.0.0 through 2.0.2. Check your plugin versions immediately.

How do I fix CVE-2025-53588 in UPC/EAN Code Generator?

Upgrade the UPC/EAN/GTIN Code Generator plugin to version 2.0.3 or later. Consider WAF rules as a temporary mitigation if upgrading is not immediately possible.

Is CVE-2025-53588 being actively exploited?

As of now, there are no confirmed reports of active exploitation, but the high CVSS score suggests a potential risk.

Where can I find the official UPC/EAN Code Generator advisory for CVE-2025-53588?

Check the plugin's official website or WordPress plugin repository for updates and advisories related to CVE-2025-53588.

NextGuard

Vulnerabilities

Package Information

Active installs: 500
Plugin rating

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

5.0

Requires WordPress

4.0.1+

Compatible up to

6.8.5

Requires PHP

5.8.1+

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality: None — no confidentiality impact. Attacker cannot read protected data.
Integrity: None — no integrity impact. Attacker cannot modify data.
Availability: High — complete crash or resource exhaustion. Full denial of service.