CVE-2025-9518
BaseFortify
Publication date: 2025-09-04
Last updated on: 2025-09-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| atec | atec-debug | 1.2.3 |
| atec | atec | 1.2.23 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-36 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the atec Debug plugin for WordPress, where insufficient validation of the 'debug_path' parameter allows authenticated users with Administrator-level access or higher to delete arbitrary files on the server. This flaw can be exploited to delete critical files, such as wp-config.php, potentially leading to remote code execution.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker with Administrator-level access to delete important files on your server, which can disrupt your website's functionality and security. Deleting key files like wp-config.php can lead to remote code execution, giving the attacker full control over your server.