CVE-2025-25162
Published: 03 March 2025
Summary
CVE-2025-25162 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 33.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-25162 is an Improper Limitation of a Pathname to a Restricted Directory vulnerability (CWE-22), enabling Absolute Path Traversal in the kutu62 Sports Rankings and Lists WordPress plugin (sports-rankings-lists). This flaw affects all versions from n/a through 1.0.2, allowing attackers to bypass directory restrictions and access files outside the intended path.
With a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), the vulnerability is exploitable remotely over the network with low attack complexity, no required privileges, and no user interaction. Unauthenticated attackers can achieve high confidentiality impact by reading sensitive files on the affected server, while integrity and availability remain unaffected.
Patchstack documents this issue in their vulnerability database for the Sports Rankings and Lists plugin.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5632
Vulnerability details
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in kutu62 Sports Rankings and Lists sports-rankings-lists allows Absolute Path Traversal.This issue affects Sports Rankings and Lists: from n/a through <= 1.0.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing WordPress plugin enables remote file reads outside intended directories, directly supporting exploitation of public-facing applications (T1190) and collection of sensitive data from the local file system (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents path traversal by validating user-supplied pathname inputs to ensure they do not escape restricted directories in the sports-rankings-lists plugin.
Enforces logical access restrictions on files, countering the improper limitation that allows absolute path traversal to sensitive files outside intended paths.
Requires timely identification, reporting, and correction of the specific path traversal flaw in the WordPress plugin versions through 1.0.2.