CVE-2025-4419

Sažetak

The Hot Random Image plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.9.2 via the 'path' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to access arbitrary images with allowed extensions, outside of the originally intended directory.

Reference

https://plugins.trac.wordpress.org/browser/hot-random-image/tags/1.9.2/hot_random_image.php#L57
https://plugins.trac.wordpress.org/changeset/3298033/
https://wordpress.org/plugins/hot-random-image/#developers
https://www.wordfence.com/threat-intel/vulnerabilities/id/d6628232-0bd1-4194-8322-36084b1eb0f7?source=cve

CVSS

Base:	4.3
Impact:	1.4
Exploitability:	2.8

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
LOW	NONE	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Zadnje važnije ažuriranje

23-05-2025 - 15:55

Objavljeno

22-05-2025 - 10:15