CVE-2025-30567 Scanner

CVE-2025-30567 Scanner - Path Traversal vulnerability in WordPress WP01

Short Info


Level

High

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

10 days

Scan only one

Domain, Subdomain, IPv4

Toolbox

-

WordPress WP01 is a plugin used in WordPress environments for file management and backup operations. It is widely utilized by administrators and site managers to facilitate the creation and storage of compressed archives of site content. WP01 integrates into the WordPress backend and provides a simplified interface for selecting and exporting files. It is commonly deployed on small to medium websites, particularly among users seeking lightweight file management tools. The plugin automates several file operations that typically require manual intervention. Its widespread use makes any vulnerabilities within it potentially impactful to numerous deployments.

The vulnerability allows attackers to exploit an improper restriction on file paths, enabling them to traverse directories outside of the intended scope. Specifically, a path traversal flaw exists in the WP01 plugin which can be triggered without authentication. When exploited, the flaw allows access to sensitive system files by manipulating request parameters. This vulnerability poses a significant threat due to its ease of exploitation and the sensitive nature of accessible files. If attackers are successful, they can download system files such as `/etc/passwd` using crafted requests. The flaw lies in how the plugin handles file archiving and retrieval functions.

The technical root of the vulnerability is found in how the plugin processes the `target` and `path` parameters within a POST request to `/wp-admin/admin-ajax.php`. The plugin fails to adequately sanitize the path input, allowing traversal to directories outside of the intended file structure. Once a ZIP archive is generated using this traversal, it is stored at a predictable location within `/wp-content/wp01-backup/`. A subsequent GET request to this path allows the attacker to retrieve the maliciously archived file. The request-response behavior confirms the existence and accessibility of the downloaded ZIP archive containing restricted system files. A successful attack returns a 200 status code and a ZIP content-type header.

If successfully exploited, this vulnerability can result in unauthorized access to critical server files, potentially exposing user credentials, configuration settings, or other sensitive data. Malicious users may leverage this access to perform further attacks, such as privilege escalation or reconnaissance for more targeted exploits. The exposure of the `/etc/passwd` file, for example, could aid in brute-force or dictionary attacks against system accounts. Furthermore, if backup files contain sensitive plugin or database information, data leakage becomes a serious concern. This may ultimately compromise the integrity and confidentiality of the affected WordPress installation.

REFERENCES

Get started to protecting your Free Full Security Scan