Cyber Posture

CVE-2026-25397

High

Published: 25 March 2026

Published
25 March 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0008 22.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25397 is a high-severity Path Traversal: '.../...//' (CWE-35) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and correction of flaws like this path traversal vulnerability in the WooCommerce plugin, preventing exploitation through patching.

SI-10 Information Input Validation good match
prevent

Mandates validation of file path inputs at upload points to reject traversal sequences such as '.../...//', directly blocking the attack vector.

SI-9 Information Input Restrictions good match
prevent

Restricts file uploader inputs to explicitly permitted safe paths and formats, preventing directory traversal to sensitive files.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
Why these techniques?

Path traversal in unauthenticated public-facing WooCommerce plugin directly enables remote file read (T1190 initial access + T1005 data from local system).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Path Traversal: '.../...//' vulnerability in Snowray Software File Uploader for WooCommerce file-uploader-for-woocommerce allows Path Traversal.This issue affects File Uploader for WooCommerce: from n/a through <= 1.0.4.

Deeper analysisAI

CVE-2026-25397 is a path traversal vulnerability involving the '.../...//' sequence in the Snowray Software File Uploader for WooCommerce plugin (file-uploader-for-woocommerce). This issue affects all versions from n/a through 1.0.4 and is classified under CWE-35. The vulnerability was published on 2026-03-25 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Remote attackers can exploit this vulnerability without authentication, privileges, or user interaction due to its network accessibility and low attack complexity. Successful exploitation enables high confidentiality impact, allowing attackers to traverse directories and access sensitive files on the server, while integrity and availability remain unaffected.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/file-uploader-for-woocommerce/vulnerability/wordpress-file-uploader-for-woocommerce-plugin-1-0-4-path-traversal-vulnerability?_s_id=cve provides further details on the vulnerability for mitigation guidance.

Details

CWE(s)
CWE-35

CVEs Like This One

CVE-2025-25122Shared CWE-35
CVE-2025-42937Shared CWE-35
CVE-2025-22205Shared CWE-35
CVE-2024-54362Shared CWE-35
CVE-2025-41723Shared CWE-35
CVE-2025-24786Shared CWE-35
CVE-2025-24685Shared CWE-35
CVE-2024-49249Shared CWE-35
CVE-2025-59793Shared CWE-35
CVE-2025-67914Shared CWE-35

References