CVE-2025-48267

| EUVD-2025-17537 HIGH
2025-06-09 [email protected]
8.6
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 19:21 euvd
EUVD-2025-17537
Analysis Generated
Mar 14, 2026 - 19:21 vuln.today
CVE Published
Jun 09, 2025 - 16:15 nvd
HIGH 8.6

Tags

Path Traversal Wp Pipes

Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ThimPress WP Pipes allows Path Traversal. This issue affects WP Pipes: from n/a through 1.4.2.

Analysis

Path traversal vulnerability in ThimPress WP Pipes that allows unauthenticated remote attackers to access files outside restricted directories, potentially causing denial of service or information disclosure. Versions through 1.4.2 are affected. The vulnerability has a high CVSS score of 8.6 due to network accessibility and no authentication requirements, though the impact is limited to availability rather than confidentiality or integrity.

Technical Context

This vulnerability exploits improper input validation in the WP Pipes WordPress plugin (CPE: wp:thimpress:wp-pipes), which fails to properly sanitize and validate file path parameters before using them in file operations. The root cause is classified under CWE-22 (Path Traversal / Directory Traversal), a common weakness where user-supplied input containing path traversal sequences (e.g., '../', '..\') is not adequately restricted to intended directories. The plugin likely constructs file paths by directly concatenating user input without canonicalization or boundary validation, allowing attackers to navigate the filesystem hierarchy and access sensitive files or trigger denial of service conditions.

Affected Products

WP Pipes (1.0 through 1.4.2)

Remediation

Patching: Update WP Pipes to a version later than 1.4.2 when available. Monitor ThimPress official channels and WordPress.org plugin repository for security updates.; priority: Critical Interim Mitigation: If patching is delayed: disable WP Pipes plugin or restrict access via WordPress security plugins, WAF rules, or web server configuration (e.g., .htaccess or nginx rules blocking path traversal patterns in plugin URLs).; priority: High Web Application Firewall (WAF): Deploy rules to detect and block requests containing path traversal sequences ('../', '..\', encoded variants like '%2e%2e%2f') targeting the WP Pipes plugin endpoints.; priority: High File System Hardening: Apply principle of least privilege: ensure WordPress application user has minimal required file system permissions; restrict access to sensitive directories outside WordPress root.; priority: Medium Monitoring: Log and alert on suspicious file access patterns from the WordPress process; monitor plugin update channels for patch release announcements.; priority: Medium

Priority Score

43
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +43
POC: 0

Share

CVE-2025-48267 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy