Skip to main content

ThimPress WP Pipes CVE-2025-48267

| EUVDEUVD-2025-17537 HIGH
Path Traversal (CWE-22)
2025-06-09 audit@patchstack.com
8.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
EUVD ID Assigned
Mar 14, 2026 - 19:21 euvd
EUVD-2025-17537
Analysis Generated
Mar 14, 2026 - 19:21 vuln.today
CVE Published
Jun 09, 2025 - 16:15 nvd
HIGH 8.6

DescriptionCVE.org

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ThimPress WP Pipes allows Path Traversal. This issue affects WP Pipes: from n/a through 1.4.2.

AnalysisAI

Path traversal vulnerability in ThimPress WP Pipes that allows unauthenticated remote attackers to access files outside restricted directories, potentially causing denial of service or information disclosure. Versions through 1.4.2 are affected. The vulnerability has a high CVSS score of 8.6 due to network accessibility and no authentication requirements, though the impact is limited to availability rather than confidentiality or integrity.

Technical ContextAI

This vulnerability exploits improper input validation in the WP Pipes WordPress plugin (CPE: wp:thimpress:wp-pipes), which fails to properly sanitize and validate file path parameters before using them in file operations. The root cause is classified under CWE-22 (Path Traversal / Directory Traversal), a common weakness where user-supplied input containing path traversal sequences (e.g., '../', '..\') is not adequately restricted to intended directories. The plugin likely constructs file paths by directly concatenating user input without canonicalization or boundary validation, allowing attackers to navigate the filesystem hierarchy and access sensitive files or trigger denial of service conditions.

RemediationAI

Patching: Update WP Pipes to a version later than 1.4.2 when available. Monitor ThimPress official channels and WordPress.org plugin repository for security updates.; priority: Critical Interim Mitigation: If patching is delayed: disable WP Pipes plugin or restrict access via WordPress security plugins, WAF rules, or web server configuration (e.g., .htaccess or nginx rules blocking path traversal patterns in plugin URLs).; priority: High Web Application Firewall (WAF): Deploy rules to detect and block requests containing path traversal sequences ('../', '..\', encoded variants like '%2e%2e%2f') targeting the WP Pipes plugin endpoints.; priority: High File System Hardening: Apply principle of least privilege: ensure WordPress application user has minimal required file system permissions; restrict access to sensitive directories outside WordPress root.; priority: Medium Monitoring: Log and alert on suspicious file access patterns from the WordPress process; monitor plugin update channels for patch release announcements.; priority: Medium

Share

CVE-2025-48267 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy