The Simple Download Counter plugin for WordPress suffers from a CWE-22 path traversal vulnerability identified as CVE-2025-13677, affecting all versions up to 2.2.2. The root cause is insufficient validation of file paths in the function simple_download_counter_parse_path(), which allows an authenticated user with Administrator privileges to manipulate file paths and access arbitrary files on the hosting server. This can lead to disclosure of sensitive information such as database credentials stored in wp-config.php or other critical system files. The vulnerability does not require user interaction but does require high privilege levels, limiting the attack surface to trusted users or compromised administrator accounts. The vendor has chosen not to fully remediate the issue but disabled remote file downloads on multisite WordPress installations and added warnings in the plugin documentation. The CVSS 3.1 base score is 4.9 (medium severity), reflecting the network attack vector, low attack complexity, required privileges, and high confidentiality impact but no integrity or availability impact. No public exploits have been reported yet, but the vulnerability poses a risk in environments where administrator accounts may be compromised or shared. The plugin’s continued allowance of remote file downloads from arbitrary locations, even with warnings, means residual risk remains for sites that continue to use it without additional controls.

European organizations using the Simple Download Counter plugin on WordPress sites face potential exposure of sensitive server files if an attacker gains administrator-level access. This could lead to leakage of database credentials, configuration files, or other sensitive data, increasing the risk of further compromise such as database breaches or privilege escalation. Given the widespread use of WordPress in Europe, especially among SMEs and public sector entities, the vulnerability could impact a broad range of organizations. The requirement for administrator privileges limits exploitation to insider threats or attackers who have already compromised an admin account, but such scenarios are not uncommon. The partial remediation by the vendor means organizations relying on this plugin must remain vigilant. Data protection regulations like GDPR heighten the consequences of data exposure, potentially leading to regulatory penalties and reputational damage. The vulnerability does not affect availability or integrity directly but can be a stepping stone for more severe attacks.

1. Immediately restrict administrator access to trusted personnel and enforce strong authentication mechanisms such as MFA to reduce the risk of account compromise. 2. Evaluate the necessity of the Simple Download Counter plugin; if possible, replace it with a more secure alternative that properly validates file paths. 3. If continued use is required, implement additional server-level access controls (e.g., file system permissions, AppArmor/SELinux policies) to prevent the web server user from reading sensitive files like wp-config.php. 4. Monitor administrator account activity and audit logs for suspicious behavior indicating potential exploitation attempts. 5. Disable remote file download features if not essential, especially on single-site installations, to reduce attack surface. 6. Keep WordPress core and all plugins updated and subscribe to vendor advisories for future patches. 7. Consider isolating WordPress instances in containerized or sandboxed environments to limit lateral movement in case of compromise. 8. Conduct regular security assessments and penetration tests focusing on privilege escalation and file access vulnerabilities.