CVE-2025-28955 is a high-severity path traversal vulnerability (CWE-22) affecting the FWDesign Easy Video Player plugin for WordPress and WooCommerce. This vulnerability allows an unauthenticated remote attacker to manipulate file path inputs to access files outside the intended restricted directories. Specifically, the plugin fails to properly limit or sanitize pathname inputs, enabling traversal sequences (e.g., '../') that can lead to unauthorized reading of arbitrary files on the server. The vulnerability affects all versions of Easy Video Player up to and including version 10.0. The CVSS 3.1 base score is 7.5, reflecting a network attack vector with low attack complexity, no privileges required, and no user interaction needed. The impact is primarily on confidentiality, as attackers can read sensitive files, but it does not affect integrity or availability. No known exploits are currently reported in the wild, and no patches have been published yet. Given the plugin’s integration with WordPress and WooCommerce, widely used content management and e-commerce platforms, exploitation could expose sensitive business or customer data stored on web servers hosting these plugins. The vulnerability’s exploitation requires only sending crafted requests to the vulnerable plugin endpoints, making it a significant risk for websites using this plugin without mitigations.

For European organizations, the impact of this vulnerability can be substantial, especially for businesses relying on WordPress and WooCommerce for their online presence and digital sales. Unauthorized file access could lead to exposure of sensitive customer data, including personal information protected under GDPR, internal configuration files, or proprietary business data. This could result in regulatory penalties, reputational damage, and loss of customer trust. E-commerce sites are particularly at risk as attackers could harvest payment-related information or credentials stored on the server. Additionally, disclosure of configuration files might facilitate further attacks, such as credential theft or lateral movement within the network. Given the ease of exploitation and no requirement for authentication, attackers could automate scanning and exploitation attempts, increasing the likelihood of compromise. The lack of available patches means organizations must rely on interim mitigations to reduce risk. The vulnerability also raises concerns for managed service providers and hosting companies in Europe that support multiple clients using this plugin, as a single exploited instance could lead to broader impacts.

European organizations should immediately audit their WordPress installations to identify the presence of the FWDesign Easy Video Player plugin and its version. Until an official patch is released, the following specific mitigations are recommended: 1) Disable or remove the Easy Video Player plugin if it is not essential to operations. 2) Implement web application firewall (WAF) rules to detect and block path traversal patterns in HTTP requests targeting the plugin endpoints, such as blocking requests containing '../' sequences or suspicious file path parameters. 3) Restrict file system permissions for the web server user to limit access to sensitive directories and files, ensuring the plugin cannot read files outside its intended directories. 4) Monitor web server logs for unusual access patterns or attempts to exploit path traversal. 5) Employ network segmentation to isolate web servers hosting WordPress from critical internal systems. 6) Prepare for rapid deployment of patches once released by subscribing to vendor notifications or security mailing lists. 7) Conduct regular backups of website data to enable recovery in case of compromise. These targeted mitigations go beyond generic advice by focusing on immediate risk reduction specific to this vulnerability’s exploitation method and affected components.