Cyber Resilience

CVE-2025-30567

High

Published: 25 March 2025

Published
25 March 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.4381 97.6th percentile
Risk Priority 41 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30567 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-30567 is a path traversal vulnerability, also described as an arbitrary file download issue, present in the WP01 WordPress plugin. It affects all versions through 2.6.2 and is tracked under CWE-22, carrying a CVSS 3.1 score of 7.5 that reflects network-accessible exploitation with no required credentials or user interaction and high impact to confidentiality.

An unauthenticated attacker can supply crafted path sequences over the network to retrieve files outside the intended directory, enabling disclosure of sensitive data stored on the server. The supplied EPSS values of 0.4381 current and 0.4640 peak do not indicate a material rise from a low baseline.

The Patchstack advisory at the referenced URL documents the vulnerability and is the primary public source for further details on affected installations.

EU & UK References

Vulnerability details

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP01 WP01 wp01 allows Path Traversal.This issue affects WP01: from n/a through <= 2.6.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Path traversal in public-facing WordPress plugin enables remote unauthenticated exploitation of web application (T1190) and direct arbitrary file reads for local system data collection (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-12824Shared CWE-22
CVE-2026-25965Shared CWE-22
CVE-2025-27098Shared CWE-22
CVE-2024-55457Shared CWE-22
CVE-2026-35485Shared CWE-22
CVE-2024-54909Shared CWE-22
CVE-2026-3405Shared CWE-22
CVE-2025-41368Shared CWE-22
CVE-2026-23850Shared CWE-22
CVE-2024-13471Shared CWE-22

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the path traversal vulnerability by requiring timely identification, reporting, and patching of the flaw in WP01 versions through 2.6.2 to prevent arbitrary file downloads.

prevent

Enforces validation of user-supplied pathname inputs to block traversal sequences like '../' that enable access to files outside restricted directories in the WP01 plugin.

prevent

Mandates enforcement of approved access authorizations for system resources, countering the bypass of directory restrictions caused by the path traversal flaw.

References