CVE-2025-14059
Path Traversal in EmailKit WordPress Plugin Allows Arbitrary File Read
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | emailkit | to 1.6.1 (inc) |
| unknown_vendor | emailkit | 1.6.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated users with Author-level permissions or higher to read arbitrary files on the server, including sensitive configuration files. Such unauthorized access to sensitive data could lead to exposure of personal or protected information, potentially violating data protection regulations like GDPR or HIPAA. Therefore, exploitation of this vulnerability may result in non-compliance with these standards due to unauthorized data disclosure. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring REST API requests to the EmailKit plugin's `create-template` endpoint, specifically looking for POST requests containing the `emailkit-editor-template` parameter with suspicious file paths attempting directory traversal. You can check WordPress REST API logs or use tools like curl to simulate requests. For example, a command to test might be: curl -X POST -H "X-WP-Nonce: <nonce>" -d "emailkit-editor-template=../../../../etc/passwd" https://yourwordpresssite.com/wp-json/emailkit/v1/create-template If the server responds with file contents or does not reject the request with an invalid path error, the vulnerability may be present. Additionally, reviewing plugin versions and ensuring they are updated to 1.6.2 or later can help detect vulnerable installations. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Update the EmailKit WordPress plugin to version 1.6.2 or later, where the vulnerability is fixed. 2. Restrict access to the REST API endpoints by ensuring only authenticated users with appropriate permissions (Author-level or higher) can access them. 3. Monitor and audit REST API usage for suspicious activity involving the `create-template` endpoint. 4. If updating immediately is not possible, consider disabling the EmailKit plugin or restricting REST API access via firewall or security plugins. These steps will prevent exploitation of the arbitrary file read vulnerability via path traversal. [3]
Can you explain this vulnerability to me?
This vulnerability is an Arbitrary File Read via Path Traversal in the EmailKit plugin for WordPress (up to version 1.6.1). It occurs because the create_template REST API endpoint does not properly validate the path in the emailkit-editor-template parameter. An authenticated attacker with Author-level permissions or higher can exploit this by providing crafted input that is passed directly to the file_get_contents() function without sanitization, allowing them to read arbitrary files on the server.
How can this vulnerability impact me? :
An attacker with Author-level permissions or higher can read arbitrary files on the server, including sensitive configuration files such as /etc/passwd and wp-config.php. This can lead to exposure of sensitive information, which could be used for further attacks or data exfiltration. The file contents can be accessed via the REST API and exfiltrated through MetForm's email confirmation feature.