CVE-2025-14388
Unauthenticated Arbitrary File Read in PhastPress WordPress Plugin
Publication date: 2025-12-23
Last updated on: 2025-12-23
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | phastpress | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-158 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The PhastPress WordPress plugin up to version 3.7 is vulnerable to an Unauthenticated Arbitrary File Read attack via null byte injection. This happens because the plugin's extension validation function operates on URL-decoded paths, while the function that constructs the filesystem path strips everything after a null byte. An attacker can exploit this by appending a double URL-encoded null byte (%2500) followed by an allowed extension (like .txt) to a file path, enabling them to read arbitrary files from the webroot, including sensitive files like wp-config.php.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to read arbitrary files on the web server, including sensitive configuration files such as wp-config.php. This can lead to exposure of database credentials, secret keys, and other sensitive information, potentially resulting in full site compromise, data breaches, and further exploitation. The CVSS score of 9.8 indicates a critical impact with high confidentiality, integrity, and availability consequences.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access sensitive files such as wp-config.php via the vulnerable PhastPress plugin by sending HTTP requests that include a double URL-encoded null byte (%2500) followed by an allowed extension (e.g., .txt) appended to the file path. For example, you can use curl commands to test if arbitrary file read is possible: curl -v "http://yourwordpresssite.com/wp-content/plugins/phastpress/path/to/file/wp-config.php%2500.txt". If the contents of wp-config.php or other sensitive files are returned, the system is vulnerable. Monitoring web server logs for requests containing %2500 or suspicious file extension patterns may also help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the PhastPress plugin to version 3.8 or later, which includes the security fix for CVE-2025-14388. This update improves the validation of file extensions in URL handling, preventing unauthorized arbitrary file reads via null byte injection. Until the update is applied, consider restricting access to the plugin directory or implementing web application firewall (WAF) rules to block requests containing double URL-encoded null bytes (%2500) or suspicious file extension patterns. [2]