Platform
wordpress
Component
wplms_plugin
Fixed in
1.9.10
CVE-2025-69097 identifies an Arbitrary File Access vulnerability within the WPLMS plugin, developed by VibeThemes. This vulnerability allows attackers to potentially read sensitive files on the server by manipulating file paths. The issue affects WPLMS versions ranging from 0.0.0 up to and including 1.9.9.5.4. A patch is expected to be released by the vendor to address this security concern.
The Arbitrary File Access vulnerability in WPLMS allows an attacker to read arbitrary files from the server's file system. This can expose sensitive data such as configuration files, database credentials, or even source code. Successful exploitation could lead to complete compromise of the WordPress site and potentially the underlying server. The attacker could gain access to user data, modify website content, or install malicious software. This vulnerability is particularly concerning given the widespread use of WordPress and the potential for large-scale data breaches.
The vulnerability was publicly disclosed on 2026-01-22. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for updates on exploitation activity.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-69097 is to upgrade WPLMS to a patched version as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds such as restricting file access permissions on the server and implementing a Web Application Firewall (WAF) with rules to block suspicious file access attempts. Review and harden WordPress file permissions to limit the impact of potential exploitation. Monitor WPLMS plugin files for unauthorized modifications. After upgrade, confirm by attempting to access restricted files via the vulnerable endpoint and verifying that access is denied.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-69097 is a HIGH severity vulnerability in WPLMS allowing attackers to read arbitrary files on the server. It affects versions 0.0.0 through 1.9.9.5.4.
Yes, if you are using WPLMS version 0.0.0 through 1.9.9.5.4, you are potentially affected by this vulnerability. Upgrade as soon as a patch is available.
The recommended fix is to upgrade WPLMS to a patched version. Until a patch is available, implement temporary workarounds like restricting file access and using a WAF.
Currently, there are no known public exploits or active campaigns targeting this vulnerability, but it's crucial to apply the patch promptly.
Refer to the VibeThemes website and WordPress plugin repository for official advisories and updates regarding CVE-2025-69097.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.