The EmailKit plugin for WordPress, used to customize emails for WooCommerce and WordPress sites, contains a path traversal vulnerability identified as CVE-2025-14059. This vulnerability exists in all versions up to and including 1.6.1. The root cause is the lack of proper validation or sanitization of the emailkit-editor-template parameter in the create_template REST API endpoint. This parameter is directly passed to the PHP function file_get_contents(), which reads file contents from the server. Because the input is not sanitized, an authenticated attacker with Author-level permissions or higher can craft a path traversal payload to read arbitrary files on the server filesystem. Critical files such as /etc/passwd on Linux systems or wp-config.php, which contains database credentials and secret keys, can be accessed. The plugin stores the retrieved file content in WordPress post meta fields, which can then be exfiltrated through the MetForm plugin's email confirmation feature, enabling data leakage outside the system. The vulnerability requires authentication but no user interaction, and the attack surface is exposed via the REST API, which is commonly enabled on WordPress sites. The CVSS 3.1 base score is 6.5, reflecting medium severity due to the high confidentiality impact but limited integrity and availability impact. No patches or fixes have been published at the time of this report, and no known exploits are currently observed in the wild. The vulnerability is classified under CWE-73 (External Control of File Name or Path).

For European organizations, this vulnerability poses a significant risk of sensitive data exposure. Attackers with Author-level access—often achievable through compromised credentials or privilege escalation—can read critical configuration files containing database credentials, API keys, and other secrets. This can lead to further compromise of the WordPress environment, including data breaches, unauthorized access to customer data, and potential lateral movement within the network. Since WooCommerce is widely used for e-commerce in Europe, the exposure of customer and payment data could lead to violations of GDPR and other data protection regulations, resulting in legal and financial penalties. Additionally, the ability to exfiltrate data via MetForm's email confirmation feature increases the risk of stealthy data leaks. The vulnerability does not directly allow code execution or denial of service but can be a stepping stone for more severe attacks. Organizations relying on WordPress with this plugin should consider the risk to their confidentiality posture high, especially if they have multiple users with Author or higher privileges.

1. Immediately restrict Author-level permissions to trusted users only and audit existing user roles to minimize the attack surface. 2. Disable or restrict access to the create_template REST API endpoint if not required, using WordPress REST API permission filters or firewall rules. 3. Monitor and log REST API calls to detect unusual access patterns or attempts to exploit path traversal. 4. Implement Web Application Firewall (WAF) rules to detect and block path traversal payloads targeting the emailkit-editor-template parameter. 5. If possible, temporarily disable the EmailKit plugin until a vendor patch is released. 6. Regularly update WordPress plugins and core to the latest versions once a patch is available. 7. Review and secure MetForm configurations to prevent unauthorized exfiltration of post meta data. 8. Conduct a thorough audit of server files and logs for signs of exploitation or data exfiltration. 9. Educate site administrators about the risks of granting Author-level permissions and enforce strong authentication mechanisms such as MFA. 10. Consider isolating WordPress environments and limiting file system permissions to reduce the impact of arbitrary file reads.