Platform
wordpress
Component
wp-pipes
Fixed in
1.4.4
CVE-2025-60227 describes an Arbitrary File Access vulnerability within the WP Pipes WordPress plugin. This flaw allows attackers to potentially read sensitive files on the server by manipulating file paths. The vulnerability impacts versions from 0.0.0 up to and including 1.4.3. A patch is expected to be released by the vendor to address this issue.
The Arbitrary File Access vulnerability in WP Pipes allows an attacker to bypass intended access controls and read arbitrary files from the server's file system. This could expose sensitive data such as configuration files, database credentials, or even source code. Successful exploitation could lead to complete compromise of the WordPress installation and potentially the underlying server. The attacker could gain access to critical system information, modify files, or execute malicious code, depending on the permissions of the web server user.
CVE-2025-60227 was publicly disclosed on 2025-10-22. The vulnerability's severity is considered HIGH (CVSS: 8.6). Currently, there are no publicly available proof-of-concept exploits. It is not listed on the CISA KEV catalog at the time of writing.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-60227 is to upgrade WP Pipes to a patched version as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds such as restricting file access permissions for the web server user or implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Thoroughly test any configuration changes in a staging environment before applying them to production. After upgrade, confirm by attempting to access a non-public file via the vulnerable endpoint and verifying that access is denied.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-60227 is a HIGH severity vulnerability in WP Pipes allowing attackers to read arbitrary files on a WordPress server. It affects versions 0.0.0 through 1.4.3.
You are affected if your WordPress site uses WP Pipes version 0.0.0 to 1.4.3. Check your plugin versions immediately.
Upgrade WP Pipes to the latest available version as soon as a patch is released by the vendor. Until then, consider WAF rules or restricting file access permissions.
Currently, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Check the ThimPress website and WordPress plugin repository for updates and advisories related to CVE-2025-60227.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.