CVE-2025-0859: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in boldgrid Post and Page Builder by BoldGrid – Visual Drag and Drop Editor
CVE-2025-0859 is a path traversal vulnerability in the BoldGrid Post and Page Builder WordPress plugin, affecting all versions up to 1. 27. 6. Authenticated users with Contributor-level access or higher can exploit this flaw via the template_via_url() function to read arbitrary files on the server. This can lead to exposure of sensitive information without requiring user interaction. The vulnerability has a CVSS score of 6. 5, indicating medium severity, with high confidentiality impact but no integrity or availability impact. No public exploits are currently known. Organizations using this plugin should prioritize patching or mitigating this issue to prevent unauthorized data disclosure. The threat primarily affects WordPress sites using BoldGrid, which are common in the US, UK, Canada, Australia, Germany, and other countries with significant WordPress adoption.
AI Analysis
Technical Summary
CVE-2025-0859 is a path traversal vulnerability classified under CWE-22 found in the Post and Page Builder by BoldGrid – Visual Drag and Drop Editor WordPress plugin. This vulnerability exists in all versions up to and including 1.27.6 and is exploitable via the template_via_url() function. The flaw allows authenticated attackers with Contributor-level privileges or higher to manipulate file path inputs improperly, bypassing directory restrictions and reading arbitrary files on the hosting server. This can expose sensitive files such as configuration files, credentials, or other private data stored on the server. The vulnerability does not require user interaction beyond authentication and does not impact integrity or availability, but it compromises confidentiality significantly. The CVSS 3.1 base score is 6.5, reflecting network attack vector, low attack complexity, and the need for privileges but no user interaction. No known public exploits have been reported yet, but the vulnerability poses a risk to WordPress sites using this plugin, which is popular among website builders. The lack of a patch link indicates that a fix may not yet be publicly available, emphasizing the need for immediate mitigation steps.
Potential Impact
The primary impact of CVE-2025-0859 is unauthorized disclosure of sensitive information due to arbitrary file read capabilities. Attackers with Contributor-level access can leverage this vulnerability to access configuration files, database credentials, or other sensitive data stored on the server, potentially leading to further compromise such as privilege escalation or data breaches. Since WordPress powers a significant portion of websites globally, and BoldGrid is a widely used plugin for site building, many organizations could be affected. The vulnerability does not affect system integrity or availability directly but can facilitate more severe attacks if sensitive data is exposed. Organizations relying on this plugin risk data leakage, reputational damage, and compliance violations if exploited. The medium severity score reflects the balance between the required privileges and the high confidentiality impact.
Mitigation Recommendations
Organizations should immediately review user roles and restrict Contributor-level or higher access to trusted users only. Implement strict access controls and monitor logs for unusual file access patterns related to the plugin. Disable or uninstall the BoldGrid Post and Page Builder plugin if not essential until a patch is released. Use web application firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting the template_via_url() function. Regularly back up website data and server configurations to enable recovery in case of compromise. Stay informed about updates from BoldGrid and apply patches promptly once available. Additionally, conduct security audits on WordPress plugins to identify and remediate similar vulnerabilities proactively.
Affected Countries
United States, United Kingdom, Canada, Australia, Germany, France, Netherlands, India, Brazil, Japan
CVE-2025-0859: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in boldgrid Post and Page Builder by BoldGrid – Visual Drag and Drop Editor
Description
CVE-2025-0859 is a path traversal vulnerability in the BoldGrid Post and Page Builder WordPress plugin, affecting all versions up to 1. 27. 6. Authenticated users with Contributor-level access or higher can exploit this flaw via the template_via_url() function to read arbitrary files on the server. This can lead to exposure of sensitive information without requiring user interaction. The vulnerability has a CVSS score of 6. 5, indicating medium severity, with high confidentiality impact but no integrity or availability impact. No public exploits are currently known. Organizations using this plugin should prioritize patching or mitigating this issue to prevent unauthorized data disclosure. The threat primarily affects WordPress sites using BoldGrid, which are common in the US, UK, Canada, Australia, Germany, and other countries with significant WordPress adoption.
AI-Powered Analysis
Technical Analysis
CVE-2025-0859 is a path traversal vulnerability classified under CWE-22 found in the Post and Page Builder by BoldGrid – Visual Drag and Drop Editor WordPress plugin. This vulnerability exists in all versions up to and including 1.27.6 and is exploitable via the template_via_url() function. The flaw allows authenticated attackers with Contributor-level privileges or higher to manipulate file path inputs improperly, bypassing directory restrictions and reading arbitrary files on the hosting server. This can expose sensitive files such as configuration files, credentials, or other private data stored on the server. The vulnerability does not require user interaction beyond authentication and does not impact integrity or availability, but it compromises confidentiality significantly. The CVSS 3.1 base score is 6.5, reflecting network attack vector, low attack complexity, and the need for privileges but no user interaction. No known public exploits have been reported yet, but the vulnerability poses a risk to WordPress sites using this plugin, which is popular among website builders. The lack of a patch link indicates that a fix may not yet be publicly available, emphasizing the need for immediate mitigation steps.
Potential Impact
The primary impact of CVE-2025-0859 is unauthorized disclosure of sensitive information due to arbitrary file read capabilities. Attackers with Contributor-level access can leverage this vulnerability to access configuration files, database credentials, or other sensitive data stored on the server, potentially leading to further compromise such as privilege escalation or data breaches. Since WordPress powers a significant portion of websites globally, and BoldGrid is a widely used plugin for site building, many organizations could be affected. The vulnerability does not affect system integrity or availability directly but can facilitate more severe attacks if sensitive data is exposed. Organizations relying on this plugin risk data leakage, reputational damage, and compliance violations if exploited. The medium severity score reflects the balance between the required privileges and the high confidentiality impact.
Mitigation Recommendations
Organizations should immediately review user roles and restrict Contributor-level or higher access to trusted users only. Implement strict access controls and monitor logs for unusual file access patterns related to the plugin. Disable or uninstall the BoldGrid Post and Page Builder plugin if not essential until a patch is released. Use web application firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting the template_via_url() function. Regularly back up website data and server configurations to enable recovery in case of compromise. Stay informed about updates from BoldGrid and apply patches promptly once available. Additionally, conduct security audits on WordPress plugins to identify and remediate similar vulnerabilities proactively.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-01-29T21:10:39.430Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6b6cb7ef31ef0b5554a5
Added to database: 2/25/2026, 9:36:44 PM
Last enriched: 2/25/2026, 11:56:39 PM
Last updated: 2/26/2026, 6:53:47 AM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-25191: Uncontrolled Search Path Element in Digital Arts Inc. FinalCode Ver.5 series
HighCVE-2026-23703: Incorrect default permissions in Digital Arts Inc. FinalCode Ver.5 series
HighCVE-2026-1311: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in bearsthemes Worry Proof Backup
HighFinding Signal in the Noise: Lessons Learned Running a Honeypot with AI Assistance [Guest Diary], (Tue, Feb 24th)
MediumCVE-2026-2506: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in motahar1 EM Cost Calculator
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.