Plataforma
wordpress
Componente
pt-luxa-addons
Corrigido em
1.2.3
CVE-2025-60217 describes an Arbitrary File Access vulnerability within the ypromo PT Luxa Addons WordPress plugin. This flaw allows attackers to potentially read sensitive files on the server by manipulating file paths. Versions 0.0.0 through 1.2.2 are affected, and a fix is available in version 1.2.3.
The Arbitrary File Access vulnerability allows an attacker to bypass intended access controls and read arbitrary files on the server hosting the WordPress site. This could expose sensitive data such as configuration files, database credentials, or even source code. Successful exploitation could lead to complete compromise of the web server and potentially the entire network if the server has access to other internal resources. The impact is amplified if the server hosts multiple websites or applications, increasing the potential blast radius.
This vulnerability was publicly disclosed on 2025-10-22. Currently, there are no known public exploits or active campaigns targeting this specific vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The ease of exploitation is relatively high due to the path traversal nature of the vulnerability.
Websites utilizing the ypromo PT Luxa Addons plugin, particularly those running older, unpatched versions (0.0.0–1.2.2), are at significant risk. Shared hosting environments where multiple websites share the same server are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "../" /var/www/html/wp-content/plugins/pt-luxa-addons/*• generic web:
curl -I https://example.com/wp-content/plugins/pt-luxa-addons/../../../../etc/passwd• wordpress / composer / npm:
wp plugin list | grep 'pt-luxa-addons'• wordpress / composer / npm:
wp plugin update pt-luxa-addonsdisclosure
Status do Exploit
EPSS
0.05% (percentil 16%)
CISA SSVC
Vetor CVSS
The primary mitigation is to immediately upgrade the PT Luxa Addons plugin to version 1.2.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences (e.g., ../). Additionally, restrict file permissions on the WordPress installation to minimize the potential damage from a successful exploit. Regularly review WordPress plugin installations and remove any unused or outdated plugins.
Actualice el plugin PT Luxa Addons a la última versión disponible para mitigar la vulnerabilidad de recorrido de directorio. Verifique las actualizaciones del plugin directamente en el panel de administración de WordPress o a través del repositorio de plugins de WordPress. Asegúrese de realizar una copia de seguridad completa del sitio antes de actualizar cualquier plugin.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-60217 is a HIGH severity vulnerability in the PT Luxa Addons WordPress plugin allowing attackers to read arbitrary files via path traversal. Versions 0.0.0–1.2.2 are affected.
You are affected if your WordPress site uses the PT Luxa Addons plugin and is running version 0.0.0 through 1.2.2. Check your plugin versions immediately.
Upgrade the PT Luxa Addons plugin to version 1.2.3 or later. If immediate upgrade isn't possible, implement WAF rules to block path traversal attempts.
Currently, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the ypromo website or WordPress plugin repository for the official advisory and update information regarding CVE-2025-60217.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.