CVE-2025-28955: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in FWDesign Easy Video Player Wordpress & WooCommerce
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in FWDesign Easy Video Player Wordpress & WooCommerce allows Path Traversal. This issue affects Easy Video Player Wordpress & WooCommerce: from n/a through 10.0.
AI Analysis
Technical Summary
CVE-2025-28955 is a high-severity path traversal vulnerability (CWE-22) affecting the FWDesign Easy Video Player plugin for WordPress and WooCommerce. This vulnerability allows an unauthenticated remote attacker to manipulate file path inputs to access files outside the intended restricted directories. Specifically, the plugin fails to properly limit or sanitize pathname inputs, enabling traversal sequences (e.g., '../') that can lead to unauthorized reading of arbitrary files on the server. The vulnerability affects all versions of Easy Video Player up to and including version 10.0. The CVSS 3.1 base score is 7.5, reflecting a network attack vector with low attack complexity, no privileges required, and no user interaction needed. The impact is primarily on confidentiality, as attackers can read sensitive files, but it does not affect integrity or availability. No known exploits are currently reported in the wild, and no patches have been published yet. Given the plugin’s integration with WordPress and WooCommerce, widely used content management and e-commerce platforms, exploitation could expose sensitive business or customer data stored on web servers hosting these plugins. The vulnerability’s exploitation requires only sending crafted requests to the vulnerable plugin endpoints, making it a significant risk for websites using this plugin without mitigations.
Potential Impact
For European organizations, the impact of this vulnerability can be substantial, especially for businesses relying on WordPress and WooCommerce for their online presence and digital sales. Unauthorized file access could lead to exposure of sensitive customer data, including personal information protected under GDPR, internal configuration files, or proprietary business data. This could result in regulatory penalties, reputational damage, and loss of customer trust. E-commerce sites are particularly at risk as attackers could harvest payment-related information or credentials stored on the server. Additionally, disclosure of configuration files might facilitate further attacks, such as credential theft or lateral movement within the network. Given the ease of exploitation and no requirement for authentication, attackers could automate scanning and exploitation attempts, increasing the likelihood of compromise. The lack of available patches means organizations must rely on interim mitigations to reduce risk. The vulnerability also raises concerns for managed service providers and hosting companies in Europe that support multiple clients using this plugin, as a single exploited instance could lead to broader impacts.
Mitigation Recommendations
European organizations should immediately audit their WordPress installations to identify the presence of the FWDesign Easy Video Player plugin and its version. Until an official patch is released, the following specific mitigations are recommended: 1) Disable or remove the Easy Video Player plugin if it is not essential to operations. 2) Implement web application firewall (WAF) rules to detect and block path traversal patterns in HTTP requests targeting the plugin endpoints, such as blocking requests containing '../' sequences or suspicious file path parameters. 3) Restrict file system permissions for the web server user to limit access to sensitive directories and files, ensuring the plugin cannot read files outside its intended directories. 4) Monitor web server logs for unusual access patterns or attempts to exploit path traversal. 5) Employ network segmentation to isolate web servers hosting WordPress from critical internal systems. 6) Prepare for rapid deployment of patches once released by subscribing to vendor notifications or security mailing lists. 7) Conduct regular backups of website data to enable recovery in case of compromise. These targeted mitigations go beyond generic advice by focusing on immediate risk reduction specific to this vulnerability’s exploitation method and affected components.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-28955: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in FWDesign Easy Video Player Wordpress & WooCommerce
Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in FWDesign Easy Video Player Wordpress & WooCommerce allows Path Traversal. This issue affects Easy Video Player Wordpress & WooCommerce: from n/a through 10.0.
AI-Powered Analysis
Technical Analysis
CVE-2025-28955 is a high-severity path traversal vulnerability (CWE-22) affecting the FWDesign Easy Video Player plugin for WordPress and WooCommerce. This vulnerability allows an unauthenticated remote attacker to manipulate file path inputs to access files outside the intended restricted directories. Specifically, the plugin fails to properly limit or sanitize pathname inputs, enabling traversal sequences (e.g., '../') that can lead to unauthorized reading of arbitrary files on the server. The vulnerability affects all versions of Easy Video Player up to and including version 10.0. The CVSS 3.1 base score is 7.5, reflecting a network attack vector with low attack complexity, no privileges required, and no user interaction needed. The impact is primarily on confidentiality, as attackers can read sensitive files, but it does not affect integrity or availability. No known exploits are currently reported in the wild, and no patches have been published yet. Given the plugin’s integration with WordPress and WooCommerce, widely used content management and e-commerce platforms, exploitation could expose sensitive business or customer data stored on web servers hosting these plugins. The vulnerability’s exploitation requires only sending crafted requests to the vulnerable plugin endpoints, making it a significant risk for websites using this plugin without mitigations.
Potential Impact
For European organizations, the impact of this vulnerability can be substantial, especially for businesses relying on WordPress and WooCommerce for their online presence and digital sales. Unauthorized file access could lead to exposure of sensitive customer data, including personal information protected under GDPR, internal configuration files, or proprietary business data. This could result in regulatory penalties, reputational damage, and loss of customer trust. E-commerce sites are particularly at risk as attackers could harvest payment-related information or credentials stored on the server. Additionally, disclosure of configuration files might facilitate further attacks, such as credential theft or lateral movement within the network. Given the ease of exploitation and no requirement for authentication, attackers could automate scanning and exploitation attempts, increasing the likelihood of compromise. The lack of available patches means organizations must rely on interim mitigations to reduce risk. The vulnerability also raises concerns for managed service providers and hosting companies in Europe that support multiple clients using this plugin, as a single exploited instance could lead to broader impacts.
Mitigation Recommendations
European organizations should immediately audit their WordPress installations to identify the presence of the FWDesign Easy Video Player plugin and its version. Until an official patch is released, the following specific mitigations are recommended: 1) Disable or remove the Easy Video Player plugin if it is not essential to operations. 2) Implement web application firewall (WAF) rules to detect and block path traversal patterns in HTTP requests targeting the plugin endpoints, such as blocking requests containing '../' sequences or suspicious file path parameters. 3) Restrict file system permissions for the web server user to limit access to sensitive directories and files, ensuring the plugin cannot read files outside its intended directories. 4) Monitor web server logs for unusual access patterns or attempts to exploit path traversal. 5) Employ network segmentation to isolate web servers hosting WordPress from critical internal systems. 6) Prepare for rapid deployment of patches once released by subscribing to vendor notifications or security mailing lists. 7) Conduct regular backups of website data to enable recovery in case of compromise. These targeted mitigations go beyond generic advice by focusing on immediate risk reduction specific to this vulnerability’s exploitation method and affected components.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Patchstack
- Date Reserved
- 2025-03-11T08:10:19.509Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68779108a83201eaacda5838
Added to database: 7/16/2025, 11:46:16 AM
Last enriched: 7/16/2025, 12:31:26 PM
Last updated: 8/5/2025, 12:22:39 AM
Views: 10
Related Threats
CVE-2025-9050: SQL Injection in projectworlds Travel Management System
MediumCVE-2025-9047: SQL Injection in projectworlds Visitor Management System
MediumCVE-2025-9046: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9028: SQL Injection in code-projects Online Medicine Guide
MediumCVE-2025-26709: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in ZTE F50
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.