CVE-2019-25295
Directory Traversal in WP Cost Estimation Plugin Allows File Overwrite
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_cost_estimation | plugin | to 9.660 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WP Cost Estimation plugin for WordPress has a vulnerability in versions before 9.660 where the uploadFormFiles function allows an attacker to perform an Upload Directory Traversal. This means an attacker can overwrite any file with a whitelisted type on the affected site by manipulating the upload path.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to overwrite files on the affected WordPress site, potentially leading to unauthorized changes or disruptions. Although it does not directly impact confidentiality, it can affect the integrity and availability of the site.