CVE-2025-10723 is a path traversal vulnerability identified in the PixelYourSite WordPress plugin, affecting all versions prior to 11.1.2. The root cause is improper validation of certain URL parameters that are used to construct file paths passed to internal functions. This flaw allows authenticated administrators to perform Local File Inclusion (LFI) attacks by manipulating these parameters to traverse directories and access files outside the intended restricted directory. The vulnerability falls under CWE-22, which concerns improper limitation of a pathname to a restricted directory. Since exploitation requires administrator privileges, the attack vector is limited to users with elevated access. The vulnerability does not impact integrity or availability but can lead to limited confidentiality breaches by exposing sensitive files on the server. The CVSS v3.1 base score is 2.7, reflecting low severity due to the requirement for privileges and limited impact. No public exploits or active exploitation have been reported. The vulnerability was reserved in September 2025 and published in October 2025. The absence of patch links suggests that users should upgrade to version 11.1.2 or later where the issue is fixed. This vulnerability highlights the importance of strict input validation and access control in WordPress plugins, especially those handling URL parameters that influence file system operations.

For European organizations, the primary impact of CVE-2025-10723 is the potential exposure of sensitive server files through LFI attacks, which could lead to information disclosure. Although the vulnerability requires administrator privileges, compromised or malicious admins could exploit it to access configuration files, credentials, or other sensitive data stored on the web server. This could facilitate further attacks such as privilege escalation or lateral movement within the network. The low CVSS score indicates limited direct damage, but the confidentiality breach risk is non-negligible, especially for organizations handling personal data under GDPR. Websites relying on PixelYourSite for analytics or marketing integration may be targeted, particularly in sectors like e-commerce, media, and digital services. The lack of known exploits reduces immediate risk, but the presence of the vulnerability in widely used WordPress plugins means attackers could develop exploits in the future. Organizations with multiple administrators or less stringent access controls are at higher risk. Overall, the impact is moderate in scope but important to address to maintain data confidentiality and regulatory compliance.

1. Immediately update the PixelYourSite plugin to version 11.1.2 or later, where the vulnerability is patched. 2. Restrict administrator privileges to trusted personnel only and regularly audit admin accounts for suspicious activity. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious URL parameter patterns indicative of path traversal attempts. 4. Harden WordPress installations by disabling unnecessary plugins and enforcing the principle of least privilege. 5. Monitor server logs for unusual file access patterns or error messages related to file inclusion. 6. Conduct regular security assessments and penetration testing focusing on plugin vulnerabilities and input validation. 7. Educate administrators about the risks of URL parameter manipulation and safe plugin management practices. 8. Consider isolating WordPress environments and sensitive data directories using containerization or strict filesystem permissions to limit the impact of potential LFI exploitation.