Skip to main content

Delete Comments By Status CVE-2025-25130

HIGH
Relative Path Traversal (CWE-23)
2025-03-03 audit@patchstack.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 01:19 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.5

DescriptionCVE.org

Relative Path Traversal vulnerability in NotFound Delete Comments By Status allows PHP Local File Inclusion. This issue affects Delete Comments By Status: from n/a through 2.1.1.

AnalysisAI

Path traversal in Delete Comments By Status (WordPress plugin) versions up to 2.1.1 enables remote attackers to include arbitrary PHP files from the local filesystem, potentially achieving remote code execution. Attack requires high complexity (AC:H) and user interaction (UI:R), limiting exploitation to social engineering scenarios. EPSS score of 0.18% (39th percentile) indicates low widespread exploitation probability. No active exploitation confirmed (not in CISA KEV), and no public POC identified at time of analysis.

Technical ContextAI

This is a CWE-23 Relative Path Traversal vulnerability in a WordPress plugin written in PHP. The flaw allows an attacker to manipulate file path inputs using relative path sequences (e.g., '../') to escape intended directory restrictions and include PHP files from arbitrary filesystem locations via PHP's include/require functions (Local File Inclusion). WordPress plugins often handle file operations for admin functions like bulk deletions, and insufficient validation of user-supplied paths can enable attackers to traverse outside the intended webroot. Combined with PHP's dynamic file inclusion capabilities, this creates a code execution risk if attackers can include files containing executable PHP code (uploaded files, log files with injected PHP, or system files like /proc/self/environ).

Affected ProductsAI

Delete Comments By Status WordPress plugin versions from initial release through 2.1.1 are confirmed vulnerable according to NVD data. The CPE would be cpe:2.3:a:notfound:delete_comments_by_status:*:*:*:*:*:wordpress:*:* (versions ≤2.1.1). Vendor advisory available at Patchstack database: https://patchstack.com/database/wordpress/plugin/delete-comments-by-status/vulnerability/wordpress-external-video-for-everybody-plugin-2-1-1-cross-site-scripting-xss-vulnerability-3. Note that Patchstack reference URL contains inconsistent metadata referencing 'external-video-for-everybody' and 'XSS vulnerability' in the slug, which may indicate database cataloging issues - the CVE description clearly identifies this as path traversal in Delete Comments By Status.

RemediationAI

Primary remediation: Upgrade Delete Comments By Status plugin to version 2.1.2 or later if available (check WordPress plugin repository for latest release, as specific fix version is not confirmed in provided data). Vendor has been notified by Patchstack (audit@patchstack.com), suggesting patch coordination likely occurred. If no patched version exists, implement compensating controls: (1) Disable or uninstall Delete Comments By Status plugin entirely until patch is released - this eliminates attack surface but removes comment management functionality. (2) Restrict WordPress admin access to trusted networks only via .htaccess or firewall rules limiting /wp-admin/ access by IP - this reduces attacker ability to exploit the UI:R requirement but impacts legitimate remote administration. (3) Deploy Web Application Firewall (WAF) rules blocking common path traversal patterns (../, %2e%2e%2f, etc.) in plugin requests - may cause false positives with legitimate admin operations. Monitor WordPress logs for suspicious file access attempts. Consult Patchstack advisory for authoritative remediation guidance: https://patchstack.com/database/wordpress/plugin/delete-comments-by-status/vulnerability/.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2025-25130 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy