CVE-2025-23422
Published: 24 January 2025
Summary
CVE-2025-23422 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-23422 is an Improper Limitation of a Pathname to a Restricted Directory vulnerability, classified under CWE-22 (Path Traversal), in the moaluko Store Locator WordPress plugin (store-locator). This flaw allows PHP Local File Inclusion and affects all versions from n/a through 3.98.10. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact despite requiring user interaction and high attack complexity.
An unauthenticated remote attacker can exploit this vulnerability over the network by tricking a user into performing an action, such as interacting with a maliciously crafted request. Successful exploitation enables PHP Local File Inclusion, potentially allowing the attacker to access or include arbitrary local files on the server, resulting in high impacts to confidentiality, integrity, and availability.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/store-locator/vulnerability/wordpress-store-locator-plugin-3-98-10-local-file-inclusion-vulnerability?_s_id=cve. Security practitioners should update to a patched version if available and review plugin configurations for path handling.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3170
Vulnerability details
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in moaluko Store Locator store-locator allows PHP Local File Inclusion.This issue affects Store Locator: from n/a through <= 3.98.10.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal LFI in public-facing WordPress plugin directly enables remote exploitation of the web application (T1190) and reading arbitrary local system files (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents path traversal attacks by validating pathname inputs to block traversal sequences and restrict access to arbitrary local files.
Requires timely identification and patching of the vulnerable Store Locator plugin to remediate the improper path limitation flaw.
Enforces logical access controls on system resources, limiting the impact of path traversal by restricting file access to authorized paths only.