CVE-2025-13677: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in specialk Simple Download Counter
The Simple Download Counter plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.2.2. This is due to insufficient path validation in the `simple_download_counter_parse_path()` function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which may contain sensitive information such as database credentials (wp-config.php) or system files. Please note that the vendor opted to continue to allow remote file downloads from arbitrary locations on the server, however, has disabled this functionality on multi-sites and provided a warning to site owners in the readme.txt when they install the plugin. While not an optimal patch, we have considered this sufficient and recommend users proceed to use the plugin with caution.
AI Analysis
Technical Summary
CVE-2025-13677 is a path traversal vulnerability (CWE-22) in the Simple Download Counter plugin for WordPress, affecting all versions up to 2.2.2. The issue arises from insufficient path validation in the simple_download_counter_parse_path() function, allowing authenticated administrators to read arbitrary server files. Although the vendor has disabled remote file downloads on multi-site setups and added warnings, they have not fully fixed the underlying vulnerability, leaving potential exposure to sensitive files such as database credentials.
Potential Impact
An authenticated attacker with Administrator-level privileges can exploit this vulnerability to read arbitrary files on the server. This can lead to disclosure of sensitive information, including database credentials and system files. There is no indication of integrity or availability impact. The vulnerability is rated medium severity with a CVSS score of 4.9.
Mitigation Recommendations
No official patch is available as the vendor has opted for a partial mitigation by disabling remote file downloads on multi-site installations and providing warnings to site owners. Users should exercise caution when using this plugin, especially on single-site installations. Review plugin usage and consider alternative plugins or additional access controls to limit risk. Monitor vendor advisories for any future updates or fixes.
CVE-2025-13677: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in specialk Simple Download Counter
Description
The Simple Download Counter plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.2.2. This is due to insufficient path validation in the `simple_download_counter_parse_path()` function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which may contain sensitive information such as database credentials (wp-config.php) or system files. Please note that the vendor opted to continue to allow remote file downloads from arbitrary locations on the server, however, has disabled this functionality on multi-sites and provided a warning to site owners in the readme.txt when they install the plugin. While not an optimal patch, we have considered this sufficient and recommend users proceed to use the plugin with caution.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-13677 is a path traversal vulnerability (CWE-22) in the Simple Download Counter plugin for WordPress, affecting all versions up to 2.2.2. The issue arises from insufficient path validation in the simple_download_counter_parse_path() function, allowing authenticated administrators to read arbitrary server files. Although the vendor has disabled remote file downloads on multi-site setups and added warnings, they have not fully fixed the underlying vulnerability, leaving potential exposure to sensitive files such as database credentials.
Potential Impact
An authenticated attacker with Administrator-level privileges can exploit this vulnerability to read arbitrary files on the server. This can lead to disclosure of sensitive information, including database credentials and system files. There is no indication of integrity or availability impact. The vulnerability is rated medium severity with a CVSS score of 4.9.
Mitigation Recommendations
No official patch is available as the vendor has opted for a partial mitigation by disabling remote file downloads on multi-site installations and providing warnings to site owners. Users should exercise caution when using this plugin, especially on single-site installations. Review plugin usage and consider alternative plugins or additional access controls to limit risk. Monitor vendor advisories for any future updates or fixes.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-11-25T18:46:51.542Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6938ec92bc985c89a3e00f29
Added to database: 12/10/2025, 3:44:18 AM
Last enriched: 4/9/2026, 9:36:52 AM
Last updated: 5/8/2026, 5:46:14 AM
Views: 173
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.