CVE-2025-10723 is a security vulnerability classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, commonly known as path traversal) found in the PixelYourSite WordPress plugin prior to version 11.1.2. This vulnerability arises because the plugin fails to properly validate certain URL parameters before using them to construct file paths that are passed to internal functions. As a result, an attacker with administrative privileges on a WordPress site can manipulate these parameters to perform Local File Inclusion (LFI) attacks. LFI allows the attacker to read arbitrary files on the server, potentially exposing sensitive information such as configuration files, credentials, or other data stored on the web server. The CVSS v3.1 base score is 2.7, reflecting a low severity due to the requirement of administrative privileges (PR:H), no user interaction (UI:N), network attack vector (AV:N), and limited impact confined to confidentiality (C:L) without affecting integrity or availability. There are no known exploits in the wild, and no patches are linked in the provided data, but the vulnerability has been addressed in PixelYourSite version 11.1.2. The vulnerability is significant primarily in environments where multiple administrators exist or where admin accounts may be compromised or shared. Exploitation requires the attacker to already have elevated privileges, limiting the attack surface. However, given the widespread use of WordPress and PixelYourSite for marketing and analytics, the vulnerability could be leveraged as part of a broader attack chain to gain sensitive information from the server.

For European organizations, the impact of CVE-2025-10723 is primarily related to confidentiality breaches. If exploited, attackers with admin access could read sensitive files on the web server, potentially exposing credentials, internal configurations, or customer data. This could lead to further compromise, including privilege escalation or lateral movement within the network. The vulnerability does not directly impact integrity or availability, nor does it allow remote unauthenticated attackers to exploit it, which limits its immediate risk. However, organizations with multiple administrators or weak admin account management could be at higher risk. In sectors such as e-commerce, media, or any business relying on WordPress for critical web presence, unauthorized file disclosure could result in data leaks, regulatory non-compliance (e.g., GDPR), and reputational damage. The low CVSS score reflects limited direct impact, but the vulnerability should be addressed to maintain a strong security posture and prevent its use in multi-stage attacks.

1. Upgrade the PixelYourSite plugin to version 11.1.2 or later immediately, as this version contains fixes for the path traversal vulnerability. 2. Conduct a thorough audit of all WordPress administrator accounts to ensure that only trusted personnel have admin privileges, reducing the risk of insider threats or compromised accounts. 3. Implement strict access controls and multi-factor authentication (MFA) for all admin accounts to prevent unauthorized access. 4. Regularly monitor web server logs for unusual file access patterns that could indicate attempted exploitation of LFI vulnerabilities. 5. Employ Web Application Firewalls (WAF) with custom rules to detect and block path traversal attempts targeting URL parameters. 6. Review and harden file system permissions on the web server to limit the exposure of sensitive files even if LFI is attempted. 7. Educate site administrators about the risks of plugin vulnerabilities and the importance of timely updates. 8. Consider isolating critical WordPress instances or using containerization to limit the blast radius of potential exploits.