CVE-2025-2932 is a path traversal vulnerability classified under CWE-22, affecting all versions of the JKDEVKIT plugin for WordPress up to and including version 1.9.4. The vulnerability exists due to improper validation of file paths in the 'font_upload_handler' function, which handles font uploads. Authenticated attackers with Subscriber-level privileges (or Contributor-level if WooCommerce is enabled) can exploit this flaw to delete arbitrary files on the server by manipulating the file path input. This arbitrary file deletion can be leveraged to remove critical files such as wp-config.php, which contains database credentials and other sensitive configuration data. Deleting such files can lead to remote code execution, allowing attackers to execute arbitrary commands on the server, potentially taking full control over the WordPress installation and underlying system. The vulnerability is remotely exploitable over the network without requiring user interaction beyond authentication. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and low privileges required. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability poses a critical risk to WordPress sites using JKDEVKIT, especially those with WooCommerce enabled, as it lowers the privilege threshold for exploitation.

The impact of CVE-2025-2932 is severe for organizations running WordPress sites with the JKDEVKIT plugin. Successful exploitation allows attackers to delete arbitrary files, which can disrupt website functionality, cause data loss, and compromise system integrity. Deletion of configuration files like wp-config.php can expose database credentials and other secrets, enabling further compromise including remote code execution. This can lead to full server takeover, data breaches, defacement, and service outages. E-commerce sites using WooCommerce are particularly at risk since the required privilege level for exploitation is lower, increasing the attack surface. The vulnerability threatens confidentiality, integrity, and availability of affected systems, potentially impacting customer data, business operations, and reputation. Organizations worldwide relying on WordPress and JKDEVKIT face increased risk of targeted attacks, especially those with less restrictive user privilege management.

1. Immediately restrict access to the JKDEVKIT plugin by limiting user roles that can upload fonts or manage plugin settings, especially Subscriber and Contributor roles. 2. Monitor and audit file deletion activities on the server to detect suspicious deletions of critical files such as wp-config.php. 3. Implement web application firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting the font upload handler. 4. Disable or remove the JKDEVKIT plugin if it is not essential to the website’s functionality until a security patch is released. 5. Enforce the principle of least privilege by reviewing and tightening user role permissions in WordPress, particularly for sites with WooCommerce enabled. 6. Regularly back up website files and databases to enable quick recovery in case of file deletion or compromise. 7. Monitor official JKDEVKIT and WordPress security advisories for patches or updates addressing this vulnerability and apply them promptly once available. 8. Consider deploying file integrity monitoring solutions to alert on unauthorized file changes or deletions. 9. Educate site administrators about the risks of granting elevated privileges to untrusted users.