CVE-2025-48158: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Alex Githatu BuddyPress XProfile Custom Image Field
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Alex Githatu BuddyPress XProfile Custom Image Field buddypress-xprofile-image-field allows Path Traversal.This issue affects BuddyPress XProfile Custom Image Field: from n/a through <= 3.0.1.
AI Analysis
Technical Summary
The vulnerability identified as CVE-2025-48158 affects the BuddyPress XProfile Custom Image Field plugin developed by Alex Githatu. It is a path traversal flaw that improperly limits pathname access to restricted directories, allowing remote attackers to potentially cause denial of service by accessing unintended file system locations. The CVSS 3.1 base score is 8.6, reflecting network attack vector, low attack complexity, no privileges or user interaction required, and a scope change with impact limited to availability. The affected versions are up to and including 3.0.1. No patch or vendor advisory is currently provided.
Potential Impact
The impact is limited to availability disruption (denial of service) due to path traversal. There is no confidentiality or integrity impact reported. The vulnerability can be exploited remotely without authentication or user interaction, increasing the risk of availability issues on affected systems.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider restricting access to the affected plugin or disabling it if feasible to mitigate potential exploitation. Monitor for updates from the vendor or trusted security sources.
CVE-2025-48158: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Alex Githatu BuddyPress XProfile Custom Image Field
Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Alex Githatu BuddyPress XProfile Custom Image Field buddypress-xprofile-image-field allows Path Traversal.This issue affects BuddyPress XProfile Custom Image Field: from n/a through <= 3.0.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability identified as CVE-2025-48158 affects the BuddyPress XProfile Custom Image Field plugin developed by Alex Githatu. It is a path traversal flaw that improperly limits pathname access to restricted directories, allowing remote attackers to potentially cause denial of service by accessing unintended file system locations. The CVSS 3.1 base score is 8.6, reflecting network attack vector, low attack complexity, no privileges or user interaction required, and a scope change with impact limited to availability. The affected versions are up to and including 3.0.1. No patch or vendor advisory is currently provided.
Potential Impact
The impact is limited to availability disruption (denial of service) due to path traversal. There is no confidentiality or integrity impact reported. The vulnerability can be exploited remotely without authentication or user interaction, increasing the risk of availability issues on affected systems.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider restricting access to the affected plugin or disabling it if feasible to mitigate potential exploitation. Monitor for updates from the vendor or trusted security sources.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Patchstack
- Date Reserved
- 2025-05-15T18:02:03.511Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68a584b3ad5a09ad0002e2ad
Added to database: 8/20/2025, 8:17:55 AM
Last enriched: 5/1/2026, 2:48:23 PM
Last updated: 5/11/2026, 2:56:43 AM
Views: 66
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.