CVE-2025-25163
Published: 07 February 2025
Summary
CVE-2025-25163 is a high-severity Path Traversal (CWE-22) vulnerability in Pluginab Plugin A\/B Image Optimizer. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-25163 is a path traversal vulnerability (CWE-22) in the A/B Image Optimizer WordPress plugin authored by Zach Swetz. The flaw stems from improper limitation of pathnames to restricted directories and affects all versions through 3.3, allowing unauthorized access to files outside intended boundaries. It carries a CVSS 3.1 score of 7.5 reflecting network attack vector, low complexity, and no required privileges or user interaction.
An unauthenticated attacker can send crafted requests over the network to traverse directories and retrieve arbitrary files from the server, resulting in high-impact disclosure of sensitive data such as configuration files or source code. The vulnerability is tracked by Patchstack as an arbitrary file download issue in the images-optimizer plugin.
The single referenced advisory from Patchstack provides no explicit mitigation details such as patch availability or configuration changes. The EPSS score has reached a peak of 0.2737 with a current value of 0.2636, indicating moderate and relatively stable exploitation probability without evidence of a sharp post-disclosure increase.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4068
Vulnerability details
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Zach Swetz Plugin A/B Image Optimizer images-optimizer allows Path Traversal.This issue affects Plugin A/B Image Optimizer: from n/a through <= 3.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing WordPress plugin enables remote unauthenticated arbitrary file download, directly mapping to T1190 (Exploit Public-Facing Application) for initial access and T1005 (Data from Local System) for collection of sensitive files.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates path traversal by enforcing input validation mechanisms to sanitize and restrict pathname inputs to authorized directories.
Requires timely identification, reporting, and remediation of software flaws such as this path traversal vulnerability through patching the affected plugin.
Boundary protection at web application perimeters, such as WAFs, can inspect and block HTTP requests containing path traversal sequences targeting the vulnerable plugin.