Cyber Resilience

CVE-2025-47492

High

Published: 23 May 2025

Published
23 May 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Score 0.0129 80.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-47492 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.6 (High).

Operationally, ranked in the top 19.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability CVE-2025-47492 is an improper limitation of a pathname to a restricted directory, known as path traversal (CWE-22), present in the Drag and Drop File Upload for Elementor Forms plugin by add-ons.org. It affects WordPress installations running this plugin from unknown versions through 1.4.3 and is rated 8.6 on CVSS 3.1 with network attack vector, low complexity, no privileges or user interaction required, and changed scope leading to high availability impact.

An unauthenticated remote attacker can supply crafted path sequences through the plugin's file upload handling to traverse directories and delete arbitrary files on the server, disrupting service availability for the affected site and potentially other components sharing the filesystem.

The Patchstack advisory identifies the issue specifically as an arbitrary file deletion vulnerability in the listed plugin versions and provides a database entry for tracking remediation. Exploitation probability remains low with an EPSS score of 0.0129 that has shown no material increase since disclosure.

EU & UK References

Vulnerability details

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in add-ons.org Drag and Drop File Upload for Elementor Forms drag-and-drop-file-upload-for-elementor-forms allows Path Traversal.This issue affects Drag and Drop File Upload for Elementor Forms: from n/a through <=…

more

1.4.3.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References