Cyber Resilience

CVE-2025-25163

High

Published: 07 February 2025

Published
07 February 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.2636 96.4th percentile
Risk Priority 31 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25163 is a high-severity Path Traversal (CWE-22) vulnerability in Pluginab Plugin A\/B Image Optimizer. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-25163 is a path traversal vulnerability (CWE-22) in the A/B Image Optimizer WordPress plugin authored by Zach Swetz. The flaw stems from improper limitation of pathnames to restricted directories and affects all versions through 3.3, allowing unauthorized access to files outside intended boundaries. It carries a CVSS 3.1 score of 7.5 reflecting network attack vector, low complexity, and no required privileges or user interaction.

An unauthenticated attacker can send crafted requests over the network to traverse directories and retrieve arbitrary files from the server, resulting in high-impact disclosure of sensitive data such as configuration files or source code. The vulnerability is tracked by Patchstack as an arbitrary file download issue in the images-optimizer plugin.

The single referenced advisory from Patchstack provides no explicit mitigation details such as patch availability or configuration changes. The EPSS score has reached a peak of 0.2737 with a current value of 0.2636, indicating moderate and relatively stable exploitation probability without evidence of a sharp post-disclosure increase.

EU & UK References

Vulnerability details

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Zach Swetz Plugin A/B Image Optimizer images-optimizer allows Path Traversal.This issue affects Plugin A/B Image Optimizer: from n/a through <= 3.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Path traversal in public-facing WordPress plugin enables remote unauthenticated arbitrary file download, directly mapping to T1190 (Exploit Public-Facing Application) for initial access and T1005 (Data from Local System) for collection of sensitive files.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-12824Shared CWE-22
CVE-2026-25965Shared CWE-22
CVE-2025-30567Shared CWE-22
CVE-2025-27098Shared CWE-22
CVE-2024-55457Shared CWE-22
CVE-2026-35485Shared CWE-22
CVE-2024-54909Shared CWE-22
CVE-2026-3405Shared CWE-22
CVE-2025-41368Shared CWE-22
CVE-2026-23850Shared CWE-22

Affected Assets

pluginab
plugin a\/b image optimizer
≤ 3.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates path traversal by enforcing input validation mechanisms to sanitize and restrict pathname inputs to authorized directories.

prevent

Requires timely identification, reporting, and remediation of software flaws such as this path traversal vulnerability through patching the affected plugin.

preventdetect

Boundary protection at web application perimeters, such as WAFs, can inspect and block HTTP requests containing path traversal sequences targeting the vulnerable plugin.

References