CVE-2025-13677 is a path traversal vulnerability classified under CWE-22 affecting the Simple Download Counter plugin for WordPress in all versions up to and including 2.2.2. The root cause lies in the `simple_download_counter_parse_path()` function, which fails to properly validate and restrict file paths. This flaw allows authenticated users with Administrator-level privileges or higher to manipulate file paths and access arbitrary files on the hosting server. Such files may include critical configuration files like wp-config.php, which contains database credentials, or other sensitive system files. The vendor has chosen to maintain the ability to download files from arbitrary server locations on single-site installations, only disabling this feature on multisite setups and issuing warnings in the plugin’s readme.txt. Although this approach reduces some risk, it does not fully eliminate the vulnerability. The CVSS v3.1 score is 4.9, reflecting medium severity with high impact on confidentiality but no impact on integrity or availability. Exploitation requires authenticated administrator access, no user interaction, and can be performed remotely over the network. No public exploits have been reported to date. The vulnerability highlights the risk of insufficient input validation in WordPress plugins, especially those handling file system operations.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive data hosted on WordPress sites using the Simple Download Counter plugin. Attackers with administrator access—potentially gained through phishing, credential compromise, or insider threat—could exploit this flaw to read critical files such as wp-config.php, exposing database credentials and enabling further compromise of backend systems. This could lead to data breaches involving personal data protected under GDPR, resulting in regulatory penalties and reputational damage. Additionally, exposure of system files could facilitate lateral movement or privilege escalation within the hosting environment. Organizations relying on WordPress for public-facing websites or internal portals are particularly at risk. The partial mitigation by the vendor reduces risk on multisite installations but leaves single-site deployments vulnerable. Given the widespread use of WordPress across Europe, especially in small and medium enterprises, the potential attack surface is considerable. Although no known exploits exist currently, the vulnerability’s medium severity and ease of exploitation by privileged users warrant proactive remediation to prevent data leakage and compliance violations.

European organizations should immediately audit their WordPress environments to identify installations of the Simple Download Counter plugin, especially versions up to 2.2.2. Where possible, upgrade to a patched version once available or consider disabling the plugin until a secure update is released. If upgrading is not feasible, restrict administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of credential compromise. Review and harden file system permissions to limit the plugin’s ability to access sensitive files outside its intended directory. For multisite installations, ensure the vendor’s disabling of remote file downloads is in effect. Monitor logs for unusual file access patterns indicative of exploitation attempts. Additionally, consider implementing web application firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting this plugin. Regularly back up WordPress sites and sensitive configuration files to enable recovery in case of compromise. Finally, educate administrators about the risks of granting excessive privileges and the importance of plugin security hygiene.