CVE-2025-12089 is a path traversal vulnerability classified under CWE-22 found in the Data Tables Generator by Supsystic WordPress plugin, versions up to and including 1.10.45. The vulnerability arises from improper validation of file paths in the cleanCache() function, which is responsible for clearing cached files. Authenticated attackers with Administrator-level privileges can exploit this flaw to delete arbitrary files on the web server by manipulating the file path input. This arbitrary file deletion can be leveraged to remove critical files such as wp-config.php, which stores database credentials and configuration settings. Deletion of such files can disrupt website functionality and may allow attackers to achieve remote code execution by forcing the system to regenerate configuration files or by exploiting other chained vulnerabilities. The attack vector requires network access (remote), low attack complexity, and high privileges but does not require user interaction. The vulnerability impacts confidentiality minimally but has a high impact on integrity and availability, as attackers can delete essential files and disrupt services. Although no public exploits are currently known, the vulnerability poses a significant risk to WordPress sites using this plugin, especially those with multiple administrators or weak access controls. The CVSS v3.1 base score is 6.5, indicating medium severity. No official patches or updates are currently listed, so mitigation relies on access control and monitoring until a fix is released.

The primary impact of CVE-2025-12089 is the potential for arbitrary file deletion on affected WordPress servers, which can lead to significant service disruption and data loss. Deleting critical files like wp-config.php can cause website outages, loss of configuration, and may open pathways for remote code execution, enabling attackers to take full control of the server. This can compromise the integrity and availability of the affected systems, potentially leading to defacement, data breaches, or use of the server as a pivot point for further attacks. Organizations relying on the Data Tables Generator plugin face risks of downtime, loss of customer trust, and potential regulatory consequences if sensitive data is exposed or services interrupted. The requirement for administrator-level access limits the attack surface but also highlights the importance of securing privileged accounts. Since WordPress powers a large portion of websites globally, the vulnerability could affect a wide range of industries, including e-commerce, media, and government sites, particularly those that have not implemented strict access controls or timely updates.

1. Immediately restrict administrator-level access to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 2. Monitor file system integrity regularly using tools that can detect unauthorized file deletions or modifications, especially for critical files like wp-config.php. 3. Implement strict input validation and sanitization at the application level if possible, or use web application firewalls (WAFs) to detect and block suspicious path traversal attempts. 4. Regularly back up website files and databases to enable quick restoration in case of file deletion or compromise. 5. Stay informed about updates from the plugin vendor and apply patches promptly once released. 6. Consider temporarily disabling or replacing the Data Tables Generator plugin with a more secure alternative until a fix is available. 7. Audit and limit plugin usage and permissions to reduce the attack surface. 8. Employ principle of least privilege for all user accounts to minimize potential damage from compromised credentials.