CVE-2025-28955

2025-07-16 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:26 vuln.today
CVE Published
Jul 16, 2025 - 12:15 nvd
N/A

Tags

WordPress PHP Path Traversal

Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in FWDesign Easy Video Player Wordpress & WooCommerce fwdevp allows Path Traversal.This issue affects Easy Video Player Wordpress & WooCommerce: from n/a through <= 10.0.

Analysis

Path traversal in FWDesign Easy Video Player WordPress plugin through version 10.0 allows unauthenticated attackers to read arbitrary files from the server via directory traversal sequences. The vulnerability affects all versions up to and including 10.0, enabling direct file access without authentication. No public exploit code has been independently confirmed, though the low EPSS score (0.11%, 30th percentile) suggests limited real-world exploitation likelihood despite the straightforward attack vector.

Technical Context

This is a classic path traversal vulnerability (CWE-22) in the Easy Video Player WordPress plugin, likely stemming from insufficient input validation when processing file paths in the video player functionality. WordPress plugins often accept user-supplied parameters to serve media files; if the plugin fails to properly canonicalize or validate these paths, attackers can use traversal sequences (e.g., ../, ..\) to escape the intended directory and access sensitive files outside the video directory. The vulnerability exists in a WordPress/WooCommerce plugin context (CPE would be vendor:fwdesign, product:easy-video-player-wordpress-woocommerce), making it accessible via HTTP requests to the web server.

Affected Products

FWDesign Easy Video Player for WordPress & WooCommerce, versions up to and including 10.0. The plugin is distributed via the WordPress plugin ecosystem and affects both standard WordPress and WooCommerce installations using this video player component.

Remediation

Upgrade FWDesign Easy Video Player to a version after 10.0 immediately; consult the vendor's release notes or the Patchstack database (https://patchstack.com/database/Wordpress/Theme/fwdevp/) for the specific patched version. If an immediate upgrade is not possible, disable or remove the Easy Video Player plugin until a patch can be applied. Additionally, implement file access controls at the web server level (Apache/Nginx) to restrict directory traversal attempts through validation of file paths in requests to the plugin.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +0
POC: 0

Share

CVE-2025-28955 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy