CVE-2025-30567
Published: 25 March 2025
Summary
CVE-2025-30567 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-30567 is a path traversal vulnerability, also described as an arbitrary file download issue, present in the WP01 WordPress plugin. It affects all versions through 2.6.2 and is tracked under CWE-22, carrying a CVSS 3.1 score of 7.5 that reflects network-accessible exploitation with no required credentials or user interaction and high impact to confidentiality.
An unauthenticated attacker can supply crafted path sequences over the network to retrieve files outside the intended directory, enabling disclosure of sensitive data stored on the server. The supplied EPSS values of 0.4381 current and 0.4640 peak do not indicate a material rise from a low baseline.
The Patchstack advisory at the referenced URL documents the vulnerability and is the primary public source for further details on affected installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8102
Vulnerability details
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP01 WP01 wp01 allows Path Traversal.This issue affects WP01: from n/a through <= 2.6.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing WordPress plugin enables remote unauthenticated exploitation of web application (T1190) and direct arbitrary file reads for local system data collection (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the path traversal vulnerability by requiring timely identification, reporting, and patching of the flaw in WP01 versions through 2.6.2 to prevent arbitrary file downloads.
Enforces validation of user-supplied pathname inputs to block traversal sequences like '../' that enable access to files outside restricted directories in the WP01 plugin.
Mandates enforcement of approved access authorizations for system resources, countering the bypass of directory restrictions caused by the path traversal flaw.