CVE-2025-12002 is a medium-severity path traversal vulnerability (CWE-22) found in the Awesome Motive YouTube Feed Pro WordPress plugin, affecting all versions up to and including 2.6.0. The vulnerability arises from improper sanitization of user-supplied input passed to the 'sby_check_wp_submit' AJAX action, which is used in file operations without adequate validation. This flaw allows unauthenticated attackers to craft requests that traverse directories and read arbitrary files on the web server. The exploitability depends on specific plugin settings: the 'Save Featured Images' option must be enabled, and 'Disable WP Posts' must be disabled, which influence how files are handled and stored. Since the attack vector is network-based and requires no authentication or user interaction, it poses a significant risk to exposed WordPress sites using this plugin. The vulnerability impacts confidentiality by potentially exposing sensitive server files, including configuration files, credentials, or other private data. However, it does not affect the integrity or availability of the system. No public exploits have been reported yet, but the presence of this vulnerability in a widely used WordPress plugin makes it a candidate for future exploitation. The CVSS v3.1 score is 5.9 (medium), reflecting the high attack complexity but no privileges or user interaction required. The vulnerability is specific to the Pro version of the plugin and does not affect the free version. As WordPress is widely used across Europe, especially in small and medium enterprises, this vulnerability could have broad implications if not addressed promptly.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive information stored on web servers running vulnerable versions of the YouTube Feed Pro plugin. This includes potentially critical data such as database credentials, API keys, or personal data protected under GDPR, which could result in regulatory penalties and reputational damage. The exposure of configuration files or other internal documents could facilitate further attacks, including privilege escalation or lateral movement within the network. Since WordPress powers a significant portion of European websites, especially in countries with high CMS adoption like Germany, the UK, France, and the Netherlands, the risk is substantial. Organizations in sectors such as finance, healthcare, and government, which often use WordPress for public-facing sites, are particularly vulnerable. The medium severity score indicates that while exploitation requires some conditions and has high complexity, the potential confidentiality impact is high. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers often target popular CMS plugins. Failure to address this vulnerability could lead to data breaches and compliance violations under European data protection laws.

European organizations should take the following specific steps to mitigate this vulnerability: 1) Immediately update the YouTube Feed Pro plugin to a patched version once available from Awesome Motive. If no patch is yet released, consider temporarily disabling or uninstalling the plugin. 2) Review and disable the 'Save Featured Images' setting and enable 'Disable WP Posts' if these settings are not critical to business operations, as these influence exploitability. 3) Implement strict file system permissions on the WordPress installation to limit the plugin's ability to read sensitive files outside its intended directories. 4) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious AJAX requests targeting the 'sby_check_wp_submit' action, especially those containing directory traversal patterns (e.g., ../). 5) Monitor web server logs for anomalous requests that may indicate exploitation attempts. 6) Conduct regular security audits and vulnerability scans focusing on WordPress plugins. 7) Educate site administrators on the risks of using outdated or vulnerable plugins and the importance of timely updates. 8) Consider isolating WordPress environments or using containerization to limit the blast radius of any compromise. These measures go beyond generic advice by focusing on configuration settings, access controls, and proactive monitoring tailored to this specific vulnerability.