CVE-2025-12089 identifies a path traversal vulnerability (CWE-22) in the Data Tables Generator by Supsystic WordPress plugin, affecting all versions up to and including 1.10.45. The vulnerability arises from insufficient validation of file paths in the cleanCache() function, which is responsible for clearing cached data files. An authenticated attacker with administrator privileges can exploit this flaw to delete arbitrary files on the web server by manipulating the file path input. This arbitrary file deletion can be leveraged to remove critical files such as wp-config.php, which contains database credentials and configuration settings. Deleting such files can disrupt website availability and potentially allow attackers to upload malicious files or execute remote code, escalating the attack impact from denial of service to full system compromise. The vulnerability has a CVSS 3.1 base score of 6.5, reflecting medium severity, with attack vector network-based, low attack complexity, requiring high privileges but no user interaction. No public exploits or patches are currently available, increasing the urgency for defensive measures. The vulnerability affects WordPress sites using this plugin, which is popular for creating data tables, thus potentially impacting a wide range of websites including e-commerce, corporate, and government portals. The flaw underscores the risks of insufficient input validation in plugins with elevated privileges, emphasizing the need for secure coding practices and timely updates.

For European organizations, this vulnerability poses a significant risk to the confidentiality, integrity, and availability of their WordPress-based web assets. Successful exploitation can lead to deletion of critical configuration files, causing website outages and loss of service availability. More critically, it can enable remote code execution, allowing attackers to gain persistent control over the affected server, potentially leading to data breaches, defacement, or use of the server as a pivot point for further attacks. Organizations in sectors such as finance, healthcare, government, and e-commerce are particularly vulnerable due to the sensitive nature of their data and reliance on web presence. The requirement for administrator-level access limits the attack surface but does not eliminate risk, as insider threats or compromised admin accounts can be leveraged. The absence of known exploits currently provides a window for mitigation, but the medium severity score indicates that the threat should be taken seriously to prevent escalation.

1. Monitor for and apply security patches from Supsystic promptly once released to address CVE-2025-12089. 2. Until a patch is available, restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as MFA to reduce risk of credential compromise. 3. Implement strict file system permissions on the WordPress installation directory to prevent unauthorized file deletions, especially protecting critical files like wp-config.php. 4. Regularly back up WordPress files and databases to enable rapid recovery in case of file deletion or compromise. 5. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the plugin’s cache cleaning functionality. 6. Conduct regular security audits and monitoring of administrator activities and file integrity to detect anomalous behavior early. 7. Consider isolating WordPress instances or using containerization to limit the blast radius of potential exploits. 8. Educate administrators about the risks of plugin vulnerabilities and the importance of timely updates and secure credential management.