The Simple Download Counter plugin for WordPress suffers from a CWE-22 path traversal vulnerability (CVE-2025-13677) in all versions up to and including 2.2.2. The root cause is insufficient validation of file paths in the function simple_download_counter_parse_path(), which fails to properly restrict file access to intended directories. This flaw enables authenticated users with Administrator or higher privileges to craft specially crafted requests that traverse directories and read arbitrary files on the web server. Sensitive files such as wp-config.php, which contains database credentials, or other system files can be exposed, potentially leading to further compromise. The vendor has chosen to disable remote file downloads on WordPress multi-site installations and added warnings in the plugin’s readme.txt, but has not fully patched the underlying vulnerability for single-site users, allowing continued risk. The vulnerability has a CVSS 3.1 base score of 4.9 (medium severity) with the vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, indicating network attack vector, low attack complexity, high privileges required, no user interaction, unchanged scope, high confidentiality impact, and no integrity or availability impact. No known exploits have been reported in the wild as of publication. The vulnerability affects all versions of the plugin, which is used worldwide on WordPress sites that require download counting functionality.

The primary impact of this vulnerability is unauthorized disclosure of sensitive server files by authenticated administrators. Exposure of files like wp-config.php can reveal database credentials, enabling attackers to escalate privileges, access or modify the database, and potentially compromise the entire WordPress installation. Although exploitation requires administrator-level access, this is significant because attackers who gain such access through other means (e.g., phishing, credential theft) can leverage this vulnerability to deepen their foothold and extract critical information. The vulnerability does not allow remote unauthenticated attackers to exploit it, limiting the attack surface. However, given the widespread use of WordPress and the plugin, organizations worldwide that rely on this plugin risk data leakage and subsequent attacks if they do not mitigate the issue. The partial vendor mitigation and lack of a full patch increase the risk for single-site users. This vulnerability could also be used in targeted attacks against high-value WordPress sites, including e-commerce, government, and enterprise portals.

Organizations should immediately verify if they use the Simple Download Counter plugin and identify the version installed. Until a full patch is released, consider the following mitigations: 1) Restrict plugin usage to trusted administrators only and audit administrator accounts for suspicious activity. 2) Disable or remove the plugin if download counting is not critical or replace it with a more secure alternative. 3) For sites that must continue using the plugin, implement strict file system permissions to limit the web server’s access to sensitive files, preventing unauthorized reads even if exploited. 4) Employ web application firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting the plugin’s endpoints. 5) Monitor logs for unusual file access patterns or attempts to access sensitive files. 6) For multi-site WordPress installations, ensure the vendor’s mitigation disabling remote downloads is in effect. 7) Keep all WordPress core and plugins updated and subscribe to vendor advisories for future patches. 8) Conduct regular security audits and penetration tests focusing on plugin vulnerabilities. These steps go beyond generic advice by focusing on access control, monitoring, and compensating controls to reduce risk until a comprehensive fix is available.