What is the CVSS score of CVE-2025-15433?

CVE-2025-15433 has a CVSS 3.1 base score of 6.8 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of PHP are affected by CVE-2025-15433?

Organizations using Shared Files WordPress should be aware of notable risk from CVE-2025-15433 rated CVSS 6.8. Exploitation could compromise the security of affected deployments.. A patch is available.

Is there a public PoC exploit available for CVE-2025-15433?

Yes, a public proof-of-concept exploit is available for CVE-2025-15433. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2025-15433?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

PHP CVE-2025-15433

EUVD-2025-209042 MEDIUM

2026-03-26 WPScan

GHSA-fwg5-qqw8-5x24

WordPress PHP Path Traversal

6.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

6.8 MEDIUM

AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

1.7.58

PoC Detected

Mar 26, 2026 - 15:13 vuln.today

Public exploit code

EUVD ID Assigned

Mar 26, 2026 - 06:30 euvd

EUVD-2025-209042

Analysis Generated

Mar 26, 2026 - 06:30 vuln.today

CVE Published

Mar 26, 2026 - 06:00 nvd

MEDIUM 6.8

DescriptionCVE.org

The Shared Files WordPress plugin before 1.7.58 allows users with a role as low as Contributor to download any file on the web server (such as wp-config.php) via a path traversal vector

AnalysisAI

The Shared Files WordPress plugin before version 1.7.58 contains a path traversal vulnerability that allows attackers with Contributor-level privileges or higher to download arbitrary files from the web server, including sensitive configuration files such as wp-config.php. A public proof-of-concept exploit is available, making this vulnerability actively exploitable in the wild. This represents a critical information disclosure risk affecting WordPress installations using affected versions of the plugin.

Technical ContextAI

The vulnerability exploits improper input validation in the Shared Files plugin's file download mechanism, allowing path traversal sequences (such as ../ or absolute paths) to bypass intended directory restrictions. The root cause falls under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), a classic path traversal flaw in file handling logic. The affected product is identified via CPE as cpe:2.3:a:unknown:shared_files:*:*:*:*:*:*:*:*, indicating all versions up to 1.7.57 are vulnerable. The plugin's download handler fails to properly sanitize user-supplied file path parameters before passing them to PHP file system functions, enabling traversal of the server's directory structure. This is particularly dangerous in WordPress environments where wp-config.php contains database credentials and authentication keys.

RemediationAI

Immediately upgrade the Shared Files WordPress plugin to version 1.7.58 or later through the WordPress plugin dashboard or by downloading directly from the official plugin repository. If the plugin cannot be upgraded immediately, disable or remove the plugin entirely to eliminate the attack surface, as this vulnerability can be exploited by any user with Contributor privileges or higher. Conduct a security audit of affected WordPress installations to determine if wp-config.php or other sensitive files have been accessed or downloaded; review server access logs and WordPress user audit trails for suspicious file download activity. Consider implementing network-level controls such as Web Application Firewalls (WAF) with path traversal detection rules to block exploitation attempts during any transition period.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2025-15433 vulnerability details – vuln.today

Back

PHP CVE-2025-15433

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code