CVE-2025-14059 is a security vulnerability classified under CWE-73 (External Control of File Name or Path) affecting the EmailKit – Email Customizer for WooCommerce & WP WordPress plugin. The flaw exists in all versions up to and including 1.6.1 due to insufficient validation of user input in the create_template REST API endpoint. Specifically, the emailkit-editor-template parameter, controlled by the user, is directly passed to the PHP function file_get_contents() without any sanitization or path normalization. This allows an authenticated attacker with Author-level or higher permissions to perform a path traversal attack, reading arbitrary files on the server filesystem. Critical files such as /etc/passwd on Linux systems or wp-config.php containing database credentials can be accessed. The plugin stores the contents of these files in post meta data, which can then be exfiltrated via MetForm's email confirmation feature, facilitating data leakage. The attack vector requires network access to the REST API and valid credentials with Author or higher privileges, but no additional user interaction is necessary. The vulnerability does not affect the integrity or availability of the system but poses a significant confidentiality risk. No patches or fixes are currently linked, and no active exploitation has been reported, but the presence of this vulnerability in a popular WordPress plugin used in WooCommerce environments makes it a notable risk.

The primary impact of CVE-2025-14059 is the unauthorized disclosure of sensitive information stored on the web server. Attackers can read configuration files that may contain database credentials, API keys, or other secrets, potentially leading to further compromise of the WordPress site or connected infrastructure. This can facilitate privilege escalation, data theft, or lateral movement within the victim's environment. Since the vulnerability requires only Author-level permissions, it lowers the barrier for exploitation compared to vulnerabilities requiring administrator access. Organizations using WooCommerce and EmailKit plugins are at risk of sensitive data exposure, which can damage customer trust, lead to regulatory non-compliance, and cause financial losses. The vulnerability does not directly impact system integrity or availability but can be a stepping stone for more severe attacks. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed.

To mitigate CVE-2025-14059, organizations should immediately upgrade the EmailKit plugin to a version where this vulnerability is patched once available. Until a patch is released, restrict Author-level permissions to trusted users only, minimizing the risk of exploitation. Implement Web Application Firewall (WAF) rules to detect and block suspicious REST API requests containing path traversal patterns in the emailkit-editor-template parameter. Disable or restrict access to the create_template REST API endpoint if it is not essential for business operations. Monitor logs for unusual access patterns or attempts to read sensitive files via the REST API. Additionally, review and harden file permissions on the server to limit the exposure of sensitive files to the web server user. Consider isolating the WordPress environment and employing intrusion detection systems to identify potential exploitation attempts. Finally, educate site administrators about the risks of granting Author-level permissions and enforce the principle of least privilege.