The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress contains a path traversal vulnerability (CWE-73) identified as CVE-2025-14059. This vulnerability exists in all versions up to and including 1.6.1 due to insufficient validation of the emailkit-editor-template parameter in the create_template REST API endpoint. Specifically, the plugin passes this user-controlled input directly to the PHP function file_get_contents() without sanitization or path normalization, allowing an authenticated user with Author-level permissions or higher to read arbitrary files on the server. This can include critical system files such as /etc/passwd or WordPress configuration files like wp-config.php, which may contain database credentials and secret keys. The retrieved file contents are stored within WordPress post meta data and can be exfiltrated through the MetForm plugin’s email confirmation feature, which can send this data via email. The attack vector requires network access to the WordPress REST API and valid credentials with at least Author privileges, but no additional user interaction is needed. The vulnerability has a CVSS 3.1 base score of 6.5, reflecting a medium severity with high confidentiality impact but no impact on integrity or availability. No public exploit code or active exploitation has been reported yet. The root cause is the lack of path validation and sanitization, which is a common security oversight in file handling within web applications. This vulnerability highlights the risks of improper input handling in REST API endpoints and the importance of strict privilege management in WordPress environments.

For European organizations, this vulnerability can lead to unauthorized disclosure of sensitive server and application data, including credentials and configuration details, which could facilitate further attacks such as privilege escalation, lateral movement, or data breaches. Organizations running WooCommerce stores or other WordPress sites with EmailKit installed are at risk of confidential data leakage. This is particularly critical for e-commerce businesses handling personal and payment data under GDPR regulations, as exposure of configuration files could lead to compromise of customer data and regulatory penalties. The requirement for Author-level authentication lowers the barrier for exploitation, as many WordPress sites have multiple users with such privileges. The ability to exfiltrate data via email confirmation mechanisms also increases the risk of stealthy data theft. Although no integrity or availability impact is noted, the confidentiality breach alone can have severe reputational and financial consequences. The vulnerability could be exploited by insider threats or attackers who have compromised lower-privileged accounts. Given the widespread use of WordPress and WooCommerce across Europe, the potential attack surface is significant.

Immediate mitigation steps include upgrading the EmailKit plugin to a patched version once available. Until a patch is released, organizations should restrict Author-level permissions to trusted users only and audit existing user roles to minimize exposure. Disabling or restricting access to the create_template REST API endpoint via web application firewalls or custom rules can reduce the attack surface. Implementing strict input validation and sanitization on the emailkit-editor-template parameter is critical to prevent path traversal. Monitoring and logging REST API requests for suspicious patterns related to file path manipulation can help detect exploitation attempts. Additionally, reviewing and limiting the use of the MetForm email confirmation feature or disabling it temporarily can prevent exfiltration of sensitive data. Organizations should also ensure that WordPress and all plugins are regularly updated and conduct security audits focusing on privilege management and plugin vulnerabilities. Employing file integrity monitoring on critical configuration files can alert administrators to unauthorized access or changes.