CVE-2025-66428
Published: 22 January 2026
Summary
CVE-2025-66428 is a high-severity Path Traversal (CWE-22) vulnerability in Plesk (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 33.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-66428 is a privilege escalation vulnerability caused by an issue with WordPress directory names in WebPros WordPress Toolkit versions before 6.9.1. Published on 2026-01-22, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-22 (Path Traversal) and CWE-269 (Improper Privilege Management).
The vulnerability can be exploited by an attacker with low privileges (PR:L) over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables high-impact consequences on confidentiality, integrity, and availability (C:H/I:H/A:H), allowing the attacker to escalate privileges within the affected WordPress Toolkit environment.
Plesk release notes for WordPress Toolkit 6.9.1 document the fix for this issue. Mitigation involves updating to version 6.9.1 or later.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3789
Vulnerability details
An issue with WordPress directory names in WebPros WordPress Toolkit before 6.9.1 allows privilege escalation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct privilege escalation via path traversal and improper privilege management in a web management tool.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates timely identification, reporting, and patching of software flaws like CVE-2025-66428, directly addressing the privilege escalation via WordPress directory name handling by updating to WebPros WordPress Toolkit 6.9.1.
Requires validation of information inputs such as directory names to block path traversal (CWE-22) exploits that enable privilege escalation in the WordPress Toolkit.
Enforces least privilege to restrict low-privilege (PR:L) attackers from achieving high-impact escalation (CWE-269) even if directory name traversal succeeds.