CVE-2025-13725 is a path traversal vulnerability (CWE-22) found in the Thim Blocks – Page Builder plugin for WordPress, specifically in the server-side rendering logic of the thim-blocks/icon block. The vulnerability arises due to insufficient validation of the 'iconSVG' parameter, which is used to specify SVG icons. Authenticated attackers with Contributor-level privileges or higher can manipulate this parameter to traverse directories and read arbitrary files on the server filesystem. This can lead to exposure of sensitive files such as wp-config.php, which contains database credentials and other critical configuration details. The vulnerability affects all versions up to and including 1.0.1 of the plugin. Exploitation does not require user interaction beyond authentication, and the attack vector is network-based with low attack complexity. The CVSS v3.1 score is 6.5, reflecting a medium severity with high confidentiality impact but no impact on integrity or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved in late 2025 and published in early 2026. The plugin is used in WordPress environments, which are widely deployed globally, increasing the potential attack surface.

The primary impact of this vulnerability is unauthorized disclosure of sensitive server files, including configuration files like wp-config.php that contain database credentials and other secrets. This can lead to further compromise of the WordPress site and underlying infrastructure if attackers leverage the leaked information. Organizations running WordPress sites with the vulnerable Thim Blocks plugin are at risk of data leakage, which can result in loss of confidentiality, reputational damage, and potential compliance violations. Since the vulnerability requires only Contributor-level authentication, it lowers the barrier for exploitation compared to vulnerabilities requiring higher privileges. Although the vulnerability does not directly affect integrity or availability, the information disclosure can be a stepping stone for privilege escalation, lateral movement, or other attacks. The lack of known exploits in the wild suggests limited active exploitation currently, but the widespread use of WordPress and this plugin means the risk remains significant.

Organizations should immediately verify if they use the Thim Blocks plugin version 1.0.1 or earlier and plan to update to a patched version once available. In the absence of an official patch, administrators should consider temporarily disabling the plugin or restricting Contributor-level user permissions to trusted users only. Implementing web application firewall (WAF) rules to detect and block path traversal patterns in requests targeting the 'iconSVG' parameter can provide interim protection. Monitoring logs for suspicious access patterns or attempts to read sensitive files is also recommended. Additionally, hardening the server by restricting file permissions to limit access to sensitive files like wp-config.php can reduce the impact of exploitation. Regularly auditing user roles and minimizing the number of users with Contributor or higher privileges will reduce the attack surface. Finally, organizations should stay alert for updates from the vendor and apply patches promptly once released.