CVE-2025-3897: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in diego-la-monica EUCookieLaw
The EUCookieLaw plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.7.2 via the 'file_get_contents' function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. The vulnerability can only be exploited if a caching plugin such as W3 Total Cache is installed and activated.
AI Analysis
Technical Summary
CVE-2025-3897 is a path traversal vulnerability (CWE-22) in the EUCookieLaw WordPress plugin by diego-la-monica. It allows unauthenticated attackers to leverage the 'file_get_contents' function to read arbitrary files on the server. Exploitation is conditional on the presence of a caching plugin like W3 Total Cache being installed and activated. The vulnerability affects all versions up to and including 2.7.2. The CVSS 3.1 base score is 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting network attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, high confidentiality impact, and no integrity or availability impact. No patch or official remediation has been provided in the available data.
Potential Impact
Successful exploitation allows unauthenticated attackers to read arbitrary files on the affected server, potentially exposing sensitive information. The impact is limited to confidentiality as integrity and availability are not affected. The attack complexity is high due to the requirement of a caching plugin being active. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should consider disabling the EUCookieLaw plugin or the caching plugin (e.g., W3 Total Cache) to prevent exploitation. Monitoring for updates from the vendor or WordPress plugin repository is recommended to apply any official fixes once released.
CVE-2025-3897: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in diego-la-monica EUCookieLaw
Description
The EUCookieLaw plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.7.2 via the 'file_get_contents' function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. The vulnerability can only be exploited if a caching plugin such as W3 Total Cache is installed and activated.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-3897 is a path traversal vulnerability (CWE-22) in the EUCookieLaw WordPress plugin by diego-la-monica. It allows unauthenticated attackers to leverage the 'file_get_contents' function to read arbitrary files on the server. Exploitation is conditional on the presence of a caching plugin like W3 Total Cache being installed and activated. The vulnerability affects all versions up to and including 2.7.2. The CVSS 3.1 base score is 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting network attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, high confidentiality impact, and no integrity or availability impact. No patch or official remediation has been provided in the available data.
Potential Impact
Successful exploitation allows unauthenticated attackers to read arbitrary files on the affected server, potentially exposing sensitive information. The impact is limited to confidentiality as integrity and availability are not affected. The attack complexity is high due to the requirement of a caching plugin being active. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, administrators should consider disabling the EUCookieLaw plugin or the caching plugin (e.g., W3 Total Cache) to prevent exploitation. Monitoring for updates from the vendor or WordPress plugin repository is recommended to apply any official fixes once released.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-04-23T15:56:17.104Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9817c4522896dcbd79bd
Added to database: 5/21/2025, 9:08:39 AM
Last enriched: 4/9/2026, 10:18:08 AM
Last updated: 5/8/2026, 8:08:54 PM
Views: 73
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.