Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ThimPress WP Pipes allows Path Traversal. This issue affects WP Pipes: from n/a through 1.4.2.
AnalysisAI
Path traversal vulnerability in ThimPress WP Pipes that allows unauthenticated remote attackers to access files outside restricted directories, potentially causing denial of service or information disclosure. Versions through 1.4.2 are affected. The vulnerability has a high CVSS score of 8.6 due to network accessibility and no authentication requirements, though the impact is limited to availability rather than confidentiality or integrity.
Technical ContextAI
This vulnerability exploits improper input validation in the WP Pipes WordPress plugin (CPE: wp:thimpress:wp-pipes), which fails to properly sanitize and validate file path parameters before using them in file operations. The root cause is classified under CWE-22 (Path Traversal / Directory Traversal), a common weakness where user-supplied input containing path traversal sequences (e.g., '../', '..\') is not adequately restricted to intended directories. The plugin likely constructs file paths by directly concatenating user input without canonicalization or boundary validation, allowing attackers to navigate the filesystem hierarchy and access sensitive files or trigger denial of service conditions.
RemediationAI
Patching: Update WP Pipes to a version later than 1.4.2 when available. Monitor ThimPress official channels and WordPress.org plugin repository for security updates.; priority: Critical Interim Mitigation: If patching is delayed: disable WP Pipes plugin or restrict access via WordPress security plugins, WAF rules, or web server configuration (e.g., .htaccess or nginx rules blocking path traversal patterns in plugin URLs).; priority: High Web Application Firewall (WAF): Deploy rules to detect and block requests containing path traversal sequences ('../', '..\', encoded variants like '%2e%2e%2f') targeting the WP Pipes plugin endpoints.; priority: High File System Hardening: Apply principle of least privilege: ensure WordPress application user has minimal required file system permissions; restrict access to sensitive directories outside WordPress root.; priority: Medium Monitoring: Log and alert on suspicious file access patterns from the WordPress process; monitor plugin update channels for patch release announcements.; priority: Medium
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17537