CVE-2025-6070
BaseFortify
Publication date: 2025-06-14
Last updated on: 2025-06-16
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Restrict File Access WordPress plugin (up to version 1.1.2) and is a Directory Traversal flaw in the output() function. It allows authenticated users with Subscriber-level access or higher to read arbitrary files on the server by manipulating file requests. Essentially, the plugin's access control can be bypassed to access sensitive files outside the intended directories. [1]
How can this vulnerability impact me? :
An attacker with at least Subscriber-level access can exploit this vulnerability to read any file on the server, potentially exposing sensitive information such as configuration files, credentials, or private data. This can lead to information disclosure, which may facilitate further attacks or compromise the security of the website and server.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can lead to unauthorized disclosure of sensitive personal or protected information stored on the server, which may violate data protection regulations such as GDPR or HIPAA. Organizations affected by this vulnerability could face compliance issues due to inadequate protection of confidential data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests to URLs matching the pattern /file/<filename> on WordPress sites using the Restrict File Access plugin. Since the vulnerability allows authenticated users with Subscriber-level access or higher to read arbitrary files via the output() function, you can check for suspicious access patterns or unexpected file retrievals through these URLs. Commands to detect such activity could include using web server access logs to grep for requests to /file/ paths, for example: 1) On Linux systems, use: `grep '/file/' /var/log/apache2/access.log` or `grep '/file/' /var/log/nginx/access.log` to find requests to the vulnerable endpoint. 2) Use curl or wget to test access with authenticated user cookies or tokens to see if arbitrary files can be accessed, e.g.: `curl -b cookies.txt https://example.com/file/sensitive_file.txt` where cookies.txt contains authentication cookies. 3) Use WordPress user role enumeration combined with file access attempts to verify if Subscriber-level users can access restricted files. These methods help detect exploitation attempts or confirm vulnerability presence. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Restrict access to the /file/ URL pattern by limiting it to trusted user roles or disabling the plugin until a patch is available. 2) Update the Restrict File Access plugin to a version later than 1.1.2 once a fix is released. 3) Review and tighten user role permissions to ensure that only necessary roles have access to file retrieval functionality. 4) Monitor and audit access logs for suspicious file access attempts. 5) If possible, implement web application firewall (WAF) rules to block or alert on suspicious requests to the /file/ endpoint. These steps help prevent unauthorized file access while awaiting an official patch. [1]