CVE-2025-12002 is a path traversal vulnerability categorized under CWE-22 affecting the Feeds for YouTube Pro plugin by Awesome Motive for WordPress. The flaw exists in all versions up to and including 2.6.0 and arises from improper sanitization of user-supplied data within the 'sby_check_wp_submit' AJAX action handler. This insufficient input validation allows an unauthenticated attacker to manipulate file path parameters to traverse directories and read arbitrary files on the server filesystem. The vulnerability is conditional upon two plugin settings: 'Save Featured Images' must be enabled, and 'Disable WP Posts' must be disabled, which influence the plugin's file handling behavior. Exploiting this vulnerability does not require authentication or user interaction, but the attack complexity is rated high due to the need to meet specific configuration conditions. The impact is a high confidentiality breach, as attackers can access sensitive files, potentially including configuration files, credentials, or other private data stored on the server. However, the vulnerability does not allow modification or deletion of files, so integrity and availability remain unaffected. No public exploits have been reported yet, but the exposure of sensitive data can lead to further attacks such as credential theft or lateral movement within compromised environments. The CVSS 3.1 vector is AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network attack vector, high attack complexity, no privileges or user interaction required, unchanged scope, and high confidentiality impact.

The primary impact of CVE-2025-12002 is unauthorized disclosure of sensitive information stored on the web server hosting the vulnerable WordPress plugin. Organizations using the Feeds for YouTube Pro plugin with the specified settings enabled risk exposure of configuration files, database credentials, private keys, or other sensitive data that could facilitate further compromise. This can lead to data breaches, loss of customer trust, regulatory non-compliance, and potential lateral movement by attackers within the network. Since the vulnerability is exploitable remotely without authentication, it poses a significant risk to publicly accessible WordPress sites. However, the requirement for specific plugin settings and high attack complexity somewhat limits the ease of exploitation. The vulnerability does not allow attackers to modify or delete files, so data integrity and service availability are not directly threatened. Nonetheless, the confidentiality breach alone can have serious consequences, especially for organizations handling sensitive or regulated data.

To mitigate CVE-2025-12002, organizations should immediately update the Feeds for YouTube Pro plugin to a patched version once available from Awesome Motive. In the absence of a patch, administrators should disable the 'Save Featured Images' setting or enable the 'Disable WP Posts' option to prevent exploitation. Restricting access to the AJAX endpoint 'sby_check_wp_submit' via web application firewall (WAF) rules or IP whitelisting can reduce exposure. Implementing strict input validation and sanitization at the application level is critical to prevent path traversal attacks. Additionally, limiting file system permissions for the web server user to only necessary directories reduces the potential impact of arbitrary file reads. Regularly auditing plugin configurations and monitoring web server logs for suspicious requests targeting the AJAX action can help detect exploitation attempts. Finally, organizations should consider isolating WordPress instances and sensitive data storage to minimize risk.