Platform
wordpress
Component
workreap
Fixed in
3.3.6
CVE-2025-59566 describes an Arbitrary File Access vulnerability discovered in the Workreap plugin for WordPress. This flaw allows attackers to potentially read sensitive files on the server by manipulating file paths. The vulnerability affects versions from 0.0.0 through 3.3.5, and a fix is available in version 3.3.6.
The Arbitrary File Access vulnerability in Workreap allows an attacker to read arbitrary files from the server's file system. This can lead to the exposure of sensitive data such as configuration files, database credentials, or even source code. Successful exploitation requires an attacker to craft a malicious URL that exploits the lack of proper path validation within the plugin. The potential impact includes data breaches, compromise of server credentials, and potential for further exploitation if sensitive information is exposed.
CVE-2025-59566 was publicly disclosed on 2025-10-22. As of this date, there are no known public proof-of-concept exploits available. The vulnerability's severity is rated HIGH (CVSS 7.7), indicating a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.07% (20% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-59566 is to immediately upgrade the Workreap plugin to version 3.3.6 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Additionally, review the plugin's code for other potential vulnerabilities and ensure proper file access controls are in place. After upgrading, confirm the fix by attempting to access a non-existent file via the vulnerable endpoint and verifying that access is denied.
Update the Workreap plugin to a version later than 3.3.5 to mitigate the path traversal vulnerability. Check the plugin page on WordPress.org for the latest available version and follow the update instructions provided by the developer.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-59566 is a HIGH severity vulnerability in the Workreap plugin for WordPress that allows attackers to read arbitrary files on the server due to improper path validation.
You are affected if you are using Workreap plugin versions 0.0.0 through 3.3.5. Upgrade to version 3.3.6 to resolve the vulnerability.
Upgrade the Workreap plugin to version 3.3.6 or later. As a temporary workaround, implement a WAF rule to block path traversal attempts.
As of the public disclosure date, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants immediate attention.
Refer to the AmentoTech advisory and the WordPress plugin directory for updates and further information regarding CVE-2025-59566.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.