CVE-2025-14388
Unknown Unknown - Not Provided
Unauthenticated Arbitrary File Read in PhastPress WordPress Plugin

Publication date: 2025-12-23

Last updated on: 2025-12-23

Assigner: Wordfence

Description
The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in `getExtensionForURL()` which operates on URL-decoded paths, and `appendNormalized()` which strips everything after a null byte before constructing the filesystem path. This makes it possible for unauthenticated attackers to read arbitrary files from the webroot, including wp-config.php, by appending a double URL-encoded null byte (%2500) followed by an allowed extension (.txt) to the file path.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-23
Last Modified
2025-12-23
Generated
2026-06-16
AI Q&A
2025-12-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14388
EUVD
EUVD-2025-204781
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordfence phastpress *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-158 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The PhastPress WordPress plugin up to version 3.7 is vulnerable to an Unauthenticated Arbitrary File Read attack via null byte injection. This happens because the plugin's extension validation function operates on URL-decoded paths, while the function that constructs the filesystem path strips everything after a null byte. An attacker can exploit this by appending a double URL-encoded null byte (%2500) followed by an allowed extension (like .txt) to a file path, enabling them to read arbitrary files from the webroot, including sensitive files like wp-config.php.

Impact Analysis

This vulnerability allows unauthenticated attackers to read arbitrary files on the web server, including sensitive configuration files such as wp-config.php. This can lead to exposure of database credentials, secret keys, and other sensitive information, potentially resulting in full site compromise, data breaches, and further exploitation. The CVSS score of 9.8 indicates a critical impact with high confidentiality, integrity, and availability consequences.

Detection Guidance

This vulnerability can be detected by attempting to access sensitive files such as wp-config.php via the vulnerable PhastPress plugin by sending HTTP requests that include a double URL-encoded null byte (%2500) followed by an allowed extension (e.g., .txt) appended to the file path. For example, you can use curl commands to test if arbitrary file read is possible: curl -v "http://yourwordpresssite.com/wp-content/plugins/phastpress/path/to/file/wp-config.php%2500.txt". If the contents of wp-config.php or other sensitive files are returned, the system is vulnerable. Monitoring web server logs for requests containing %2500 or suspicious file extension patterns may also help detect exploitation attempts. [2]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the PhastPress plugin to version 3.8 or later, which includes the security fix for CVE-2025-14388. This update improves the validation of file extensions in URL handling, preventing unauthorized arbitrary file reads via null byte injection. Until the update is applied, consider restricting access to the plugin directory or implementing web application firewall (WAF) rules to block requests containing double URL-encoded null bytes (%2500) or suspicious file extension patterns. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14388. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart