Platform
wordpress
Component
filr-protection
Fixed in
1.2.11
CVE-2025-64230 describes an Arbitrary File Access vulnerability within WP Chill Filr, a WordPress plugin. This flaw, stemming from improper path limitation, allows attackers to potentially read arbitrary files on the server. The vulnerability impacts versions 0.0.0 through 1.2.10 of the plugin, and a fix is available in version 1.2.11.
The Arbitrary File Access vulnerability allows an attacker to bypass intended access restrictions and retrieve files that they should not be able to access. In the context of WP Chill Filr, this could expose sensitive configuration files, database credentials, or even source code. Successful exploitation could lead to data breaches, privilege escalation, and potentially complete compromise of the WordPress installation. The impact is amplified if the server hosts other sensitive applications or data, as the attacker could use this vulnerability as a stepping stone for lateral movement.
CVE-2025-64230 was publicly disclosed on December 18, 2025. The vulnerability is a classic path traversal issue, and public proof-of-concept exploits are likely to emerge quickly. While no active exploitation campaigns have been confirmed as of this writing, the ease of exploitation suggests a high probability of exploitation if left unpatched. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.07% (20% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-64230 is to immediately upgrade WP Chill Filr to version 1.2.11 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include restricting file permissions on the server to limit the attacker's ability to read files, or implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Monitor WordPress access logs for suspicious file access attempts. After upgrading, verify the fix by attempting to access a sensitive file via a path traversal request; the request should be denied.
Update to version 1.2.11, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-64230 is a path traversal vulnerability in WP Chill Filr allowing attackers to read arbitrary files. It has a CVSS score of 7.7 (HIGH) and affects versions 0.0.0 through 1.2.10.
You are affected if you are using WP Chill Filr versions 0.0.0 to 1.2.10. Check your plugin version and upgrade immediately if vulnerable.
Upgrade WP Chill Filr to version 1.2.11 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting file permissions or using a WAF.
While no active exploitation campaigns have been confirmed, the ease of exploitation suggests a high probability of exploitation if left unpatched.
Refer to the WP Chill Filr website or WordPress plugin repository for the official advisory and release notes related to this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.