Delete Comments By Status CVE-2025-25130
HIGHSeverity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Relative Path Traversal vulnerability in NotFound Delete Comments By Status allows PHP Local File Inclusion. This issue affects Delete Comments By Status: from n/a through 2.1.1.
AnalysisAI
Path traversal in Delete Comments By Status (WordPress plugin) versions up to 2.1.1 enables remote attackers to include arbitrary PHP files from the local filesystem, potentially achieving remote code execution. Attack requires high complexity (AC:H) and user interaction (UI:R), limiting exploitation to social engineering scenarios. EPSS score of 0.18% (39th percentile) indicates low widespread exploitation probability. No active exploitation confirmed (not in CISA KEV), and no public POC identified at time of analysis.
Technical ContextAI
This is a CWE-23 Relative Path Traversal vulnerability in a WordPress plugin written in PHP. The flaw allows an attacker to manipulate file path inputs using relative path sequences (e.g., '../') to escape intended directory restrictions and include PHP files from arbitrary filesystem locations via PHP's include/require functions (Local File Inclusion). WordPress plugins often handle file operations for admin functions like bulk deletions, and insufficient validation of user-supplied paths can enable attackers to traverse outside the intended webroot. Combined with PHP's dynamic file inclusion capabilities, this creates a code execution risk if attackers can include files containing executable PHP code (uploaded files, log files with injected PHP, or system files like /proc/self/environ).
Affected ProductsAI
Delete Comments By Status WordPress plugin versions from initial release through 2.1.1 are confirmed vulnerable according to NVD data. The CPE would be cpe:2.3:a:notfound:delete_comments_by_status:*:*:*:*:*:wordpress:*:* (versions ≤2.1.1). Vendor advisory available at Patchstack database: https://patchstack.com/database/wordpress/plugin/delete-comments-by-status/vulnerability/wordpress-external-video-for-everybody-plugin-2-1-1-cross-site-scripting-xss-vulnerability-3. Note that Patchstack reference URL contains inconsistent metadata referencing 'external-video-for-everybody' and 'XSS vulnerability' in the slug, which may indicate database cataloging issues - the CVE description clearly identifies this as path traversal in Delete Comments By Status.
RemediationAI
Primary remediation: Upgrade Delete Comments By Status plugin to version 2.1.2 or later if available (check WordPress plugin repository for latest release, as specific fix version is not confirmed in provided data). Vendor has been notified by Patchstack (audit@patchstack.com), suggesting patch coordination likely occurred. If no patched version exists, implement compensating controls: (1) Disable or uninstall Delete Comments By Status plugin entirely until patch is released - this eliminates attack surface but removes comment management functionality. (2) Restrict WordPress admin access to trusted networks only via .htaccess or firewall rules limiting /wp-admin/ access by IP - this reduces attacker ability to exploit the UI:R requirement but impacts legitimate remote administration. (3) Deploy Web Application Firewall (WAF) rules blocking common path traversal patterns (../, %2e%2e%2f, etc.) in plugin requests - may cause false positives with legitimate admin operations. Monitor WordPress logs for suspicious file access attempts. Consult Patchstack advisory for authoritative remediation guidance: https://patchstack.com/database/wordpress/plugin/delete-comments-by-status/vulnerability/.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-23 – Relative Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today