CVE-2025-9518
Published: 04 September 2025
Summary
CVE-2025-9518 is a high-severity Absolute Path Traversal (CWE-36) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 15.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The atec Debug plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation on the 'debug_path' parameter in all versions up to and including 1.2.22. The flaw is tracked as CVE-2025-9518 with a CVSS 3.1 score of 7.2 and is associated with CWE-36.
Authenticated attackers with Administrator-level access and above can exploit the issue over the network to delete arbitrary files on the server. Successful exploitation can readily lead to remote code execution when files such as wp-config.php are removed.
The EPSS score stands at 0.0202 with no material rise from its recorded peak. Public references include WordPress plugin source changesets and a Wordfence threat intelligence entry.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-34038
Vulnerability details
The atec Debug plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation on the 'debug_path' parameter in all versions up to, and including, 1.2.22. This makes it possible for authenticated attackers, with Administrator-level access…
more
and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.