CVE-2025-47492
Published: 23 May 2025
Summary
CVE-2025-47492 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.6 (High).
Operationally, ranked in the top 19.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability CVE-2025-47492 is an improper limitation of a pathname to a restricted directory, known as path traversal (CWE-22), present in the Drag and Drop File Upload for Elementor Forms plugin by add-ons.org. It affects WordPress installations running this plugin from unknown versions through 1.4.3 and is rated 8.6 on CVSS 3.1 with network attack vector, low complexity, no privileges or user interaction required, and changed scope leading to high availability impact.
An unauthenticated remote attacker can supply crafted path sequences through the plugin's file upload handling to traverse directories and delete arbitrary files on the server, disrupting service availability for the affected site and potentially other components sharing the filesystem.
The Patchstack advisory identifies the issue specifically as an arbitrary file deletion vulnerability in the listed plugin versions and provides a database entry for tracking remediation. Exploitation probability remains low with an EPSS score of 0.0129 that has shown no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-28087
Vulnerability details
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in add-ons.org Drag and Drop File Upload for Elementor Forms drag-and-drop-file-upload-for-elementor-forms allows Path Traversal.This issue affects Drag and Drop File Upload for Elementor Forms: from n/a through <=…
more
1.4.3.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.