Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
The EmailKit - Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to arbitrary file read via path traversal in all versions up to, and including, 1.6.3. This is due to the action() function in the TemplateData class passing user-supplied input from the 'emailkit-editor-template' REST API parameter directly to file_get_contents() without any path validation, sanitization, or restriction to an allowed directory. This makes it possible for authenticated attackers, with Administrator-level access, to read arbitrary files on the server (such as /etc/passwd or wp-config.php) by supplying a traversal path. The file contents are stored as post meta and can subsequently be retrieved via the fetch-data REST API endpoint. Notably, the CheckForm class in the same plugin implements proper path validation using realpath() and directory restriction, demonstrating that the developer was aware of the risk but failed to apply the same protections to the TemplateData endpoint.
AnalysisAI
The EmailKit - Email Customizer for WooCommerce & WP WordPress plugin contains a path traversal vulnerability in the TemplateData class that allows authenticated administrators to read arbitrary files from the server via the 'emailkit-editor-template' REST API parameter. An attacker with Administrator privileges can exploit this flaw to access sensitive files such as wp-config.php or /etc/passwd by supplying directory traversal sequences, with the retrieved file contents stored as post metadata and retrievable through the fetch-data REST API endpoint. The vulnerability affects all versions up to and including 1.6.3, and while it requires high-level administrative access and has a moderate CVSS score of 4.9, it represents a critical information disclosure risk in multi-user WordPress environments.
Technical ContextAI
The vulnerability exists in the TemplateData class's action() function within the EmailKit plugin (CPE: cpe:2.3:a:roxnor:emailkit_–_email_customizer_for_woocommerce_&_wp:*:*:*:*:*:*:*:*), a WordPress plugin for email template customization. The root cause is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory – Path Traversal), where user-supplied input from a REST API parameter is passed directly to the PHP file_get_contents() function without validation, sanitization, or directory restriction. The vulnerability is compounded by the fact that the same codebase includes proper mitigation in the CheckForm class using realpath() and directory restriction, demonstrating developer awareness of the attack vector but inconsistent application of security controls across the codebase.
RemediationAI
Immediately upgrade the EmailKit plugin to version 1.6.4 or later, which implements proper path validation and directory restriction controls. For WordPress administrators unable to patch immediately, restrict REST API access to the vulnerable endpoints through a Web Application Firewall (WAF) by blocking requests to the 'emailkit-editor-template' action parameter, or disable REST API access entirely if not required for plugin functionality. Additionally, audit current post meta entries for suspicious file paths that may have been read via this vulnerability, review administrator account activity logs for unauthorized REST API calls, and if using a multi-administrator setup, implement role-based access controls to limit who can access email customization features. Monitor WordPress security advisories at https://plugins.trac.wordpress.org/ for confirmation of the patch release and apply updates immediately upon availability.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13920