CVE-2025-12002 is a path traversal vulnerability classified under CWE-22 affecting the Feeds for YouTube Pro plugin by Awesome Motive for WordPress. The vulnerability exists in all versions up to and including 2.6.0 due to improper sanitization of user-supplied input in the 'sby_check_wp_submit' AJAX action. This input is used directly in file operations without adequate validation, enabling an unauthenticated attacker to traverse directories and read arbitrary files on the server. The attack surface is limited to configurations where the 'Save Featured Images' setting is enabled and 'Disable WP Posts' is disabled, which influence how files are handled and stored. The vulnerability does not require authentication or user interaction, increasing its risk profile. The CVSS v3.1 base score is 5.9 (medium severity), reflecting network attack vector, high attack complexity, no privileges required, no user interaction, and high confidentiality impact but no integrity or availability impact. No public exploits have been reported to date, but the vulnerability's presence in a popular WordPress plugin used to embed YouTube feeds makes it a significant concern for websites relying on this functionality. The lack of a patch link suggests that remediation may require vendor updates or manual mitigation steps.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive server-side files, which may include configuration files, credentials, or other private data. Exposure of such information can lead to further attacks, including privilege escalation or lateral movement within the network. Organizations using WordPress sites with the affected plugin, especially those with the vulnerable settings enabled, are at risk of data breaches. The impact is primarily on confidentiality, with no direct effect on data integrity or service availability. Given the widespread use of WordPress across Europe, especially among SMEs and content-driven websites, the potential attack surface is significant. Additionally, organizations subject to GDPR must consider the regulatory implications of unauthorized data exposure. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability is publicly known.

European organizations should immediately audit their WordPress installations to identify the presence of the Feeds for YouTube Pro plugin and verify the version in use. If the plugin is installed, verify the configuration settings: disable 'Save Featured Images' or enable 'Disable WP Posts' as temporary mitigations to reduce exposure. Monitor and restrict access to the AJAX endpoint 'sby_check_wp_submit' via web application firewalls or server-level rules to block suspicious requests. Implement strict input validation and sanitization on the server side if custom modifications are possible. Regularly update the plugin once the vendor releases a patch addressing this vulnerability. Additionally, conduct file system permission reviews to ensure that sensitive files are not accessible by the web server user beyond what is necessary. Employ intrusion detection systems to monitor for anomalous file access patterns. Finally, maintain comprehensive backups and incident response plans in case of exploitation.