CVE-2025-23819
Published: 03 February 2025
Summary
CVE-2025-23819 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-23819 is an Improper Limitation of a Pathname to a Restricted Directory vulnerability, classified under CWE-22, that enables Absolute Path Traversal in the WP Cloud plugin developed by Marco Milesi. This flaw affects the WP Cloud plugin in all versions from n/a through 1.4.3, as published on 2025-02-03.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it can be exploited over the network by unauthenticated attackers with low attack complexity and no user interaction required. Successful exploitation allows attackers to achieve high confidentiality impact by traversing paths to access restricted files outside the intended directory.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/cloud/vulnerability/wordpress-wp-cloud-plugin-1-4-3-arbitrary-file-deletion-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3449
Vulnerability details
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Marco Milesi WP Cloud cloud allows Absolute Path Traversal.This issue affects WP Cloud: from n/a through <= 1.4.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing WP plugin enables unauthenticated network exploitation (T1190) to read restricted local files (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires input validation mechanisms at entry points to sanitize pathnames and block absolute path traversal attempts like those in CVE-2025-23819.
Ensures timely remediation of the specific path traversal flaw in the WP Cloud plugin versions through 1.4.3 to prevent exploitation.
Vulnerability scanning identifies path traversal vulnerabilities such as CVE-2025-23819 in WordPress plugins for prioritization and patching.