CVE-2025-23422 is a security vulnerability classified as an improper limitation of a pathname to a restricted directory, commonly known as a path traversal vulnerability, found in the moaluko Store Locator plugin for WordPress. This vulnerability allows an attacker to perform PHP Local File Inclusion (LFI), which means they can manipulate the file path input to include and execute arbitrary files on the server. The root cause is the plugin's failure to properly sanitize or restrict user-supplied input that specifies file paths, enabling traversal outside the intended directory. A successful attack can lead to unauthorized disclosure of sensitive files such as configuration files, password files, or other critical data stored on the server. In some scenarios, if combined with other vulnerabilities or misconfigurations, it could lead to remote code execution, severely compromising the affected system. The vulnerability affects all versions of the Store Locator plugin up to and including 3.98.10. Although no known exploits are currently reported in the wild, the nature of LFI vulnerabilities makes them attractive targets for attackers. The absence of a CVSS score means severity must be assessed based on impact and exploitability factors. Given the potential for sensitive data exposure and possible code execution, this vulnerability represents a high risk to affected systems. The vulnerability was published on January 24, 2025, and was reserved on January 16, 2025, indicating recent discovery. No official patches or mitigation links have been provided yet, emphasizing the need for immediate attention by users of the plugin.

The impact of CVE-2025-23422 on organizations worldwide can be significant. Exploitation of this path traversal vulnerability allows attackers to read arbitrary files on the server, potentially exposing sensitive information such as database credentials, API keys, user data, or internal configuration files. This can lead to data breaches, loss of confidentiality, and reputational damage. In worst-case scenarios, if attackers chain this vulnerability with others, they may achieve remote code execution, leading to full system compromise, data destruction, or lateral movement within the network. Organizations relying on the moaluko Store Locator plugin for their websites, especially e-commerce and retail businesses, could face service disruptions and financial losses. Additionally, attackers could use the compromised systems as a foothold for further attacks or to distribute malware. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as public disclosure often leads to rapid development of exploit code. The vulnerability affects all users of the plugin up to version 3.98.10, which could be widespread given the plugin's usage in WordPress environments globally.

To mitigate CVE-2025-23422, organizations should take the following specific actions: 1) Immediately audit and inventory all instances of the moaluko Store Locator plugin in use to identify affected versions. 2) Monitor official vendor channels and security advisories for patches or updates addressing this vulnerability and apply them promptly once available. 3) In the absence of an official patch, implement web application firewall (WAF) rules to detect and block suspicious path traversal patterns in HTTP requests targeting the plugin endpoints. 4) Restrict file system permissions for the web server user to limit access to sensitive files and directories, minimizing the impact of potential file inclusion. 5) Conduct code reviews or employ security scanning tools to identify and remediate unsafe file inclusion practices in custom or third-party plugins. 6) Enable logging and monitoring to detect unusual file access or inclusion attempts, enabling rapid incident response. 7) Educate development and operations teams about secure coding practices related to file handling and input validation to prevent similar vulnerabilities. 8) Consider temporarily disabling or removing the plugin if immediate patching is not feasible and the plugin is not critical to operations.