Sports Rankings and Lists CVE-2025-25162
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NotFound Sports Rankings and Lists allows Absolute Path Traversal. This issue affects Sports Rankings and Lists: from n/a through 1.0.2.
AnalysisAI
Absolute path traversal in Sports Rankings and Lists WordPress plugin versions up to 1.0.2 allows unauthenticated remote attackers to read arbitrary files from the server filesystem. The vulnerability enables unauthorized access to sensitive configuration files, credentials, and source code without requiring authentication or user interaction. EPSS score of 0.25% suggests low probability of mass exploitation, and no public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
This vulnerability exploits CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) in a WordPress plugin. Path traversal occurs when user-supplied input containing directory traversal sequences (such as '../' or absolute paths) is not properly sanitized before being used in file operations. WordPress plugins commonly introduce these vulnerabilities through improper handling of file download, upload, or include functionality. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates the plugin exposes a network-accessible endpoint that processes file paths without validating that they remain within intended directories. The scope unchanged (S:U) indicates the vulnerability is confined to the vulnerable plugin component, but high confidentiality impact (C:H) reflects ability to access any file readable by the web server process. The Sports Rankings and Lists plugin likely implements functionality to read or serve files (possibly for displaying sports data, importing rankings, or managing media) without implementing proper path canonicalization or allowlist validation.
Affected ProductsAI
NotFound Sports Rankings and Lists plugin for WordPress versions from initial release through 1.0.2 are confirmed vulnerable. The vulnerability affects all installations of this plugin regardless of WordPress core version. The Patchstack advisory references indicate this is a WordPress plugin distributed through the WordPress.org plugin repository. No CPE identifiers were provided in the source data, and vendor-specific version confirmation is limited to the Patchstack database entry showing maximum affected version 1.0.2.
RemediationAI
Immediately update Sports Rankings and Lists plugin to version 1.0.3 or later if available, or remove the plugin entirely if not business-critical. Verify the installed version in WordPress admin under Plugins and check the WordPress.org plugin repository for updated releases. The Patchstack advisory at https://patchstack.com/database/wordpress/plugin/sports-rankings-lists/ should contain specific patch information, though the provided reference URL contains inconsistent path structure suggesting data quality issues. If no patched version is available, implement compensating controls: disable the plugin through WordPress admin, restrict wp-admin access to trusted IP addresses only via .htaccess or firewall rules, deploy a web application firewall (WAF) with path traversal detection rules to block requests containing '../', absolute paths, or URL-encoded variants targeting plugin endpoints, and monitor web server logs for suspicious file access patterns including repeated 404 errors or access to sensitive files like wp-config.php. Note that WAF rules may cause false positives if the plugin legitimately processes file paths in expected functionality. Review server logs for evidence of exploitation attempts showing access to files outside the plugin directory before remediation.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today