Cyber Resilience

CVE-2025-3294

High

Published: 17 April 2025

Published
17 April 2025
Modified
09 July 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0148 81.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-3294 is a high-severity Path Traversal (CWE-22) vulnerability in Benjaminrojas Wp Editor. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 18.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The WP Editor plugin for WordPress is vulnerable to arbitrary file update due to missing file path validation in all versions up to and including 1.2.9.1. This path traversal issue, tracked as CWE-22, allows an authenticated user to supply crafted paths that bypass intended restrictions when updating files through the plugin.

An attacker with Administrator-level access or higher can exploit the flaw over the network to overwrite arbitrary files on the server. Depending on the web server's write permissions, this can lead to remote code execution by replacing executable content such as PHP files.

The referenced WordPress plugin changeset and Wordfence advisory indicate that the issue is addressed by a code update in the plugin trunk that adds proper file path validation; site administrators should apply the patched version to eliminate the exposure.

The associated EPSS score remains low, with only a modest increase between its current value of 0.0148 and recorded peak of 0.0233.

EU & UK References

Vulnerability details

The WP Editor plugin for WordPress is vulnerable to arbitrary file update due to missing file path validation in all versions up to, and including, 1.2.9.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to overwrite…

more

arbitrary files on the affected site's server which may make remote code execution possible assuming the files can be written to by the web server.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

benjaminrojas
wp editor
≤ 1.2.9.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References