CVE-2025-6070 is a directory traversal vulnerability classified under CWE-22 found in the josxha Restrict File Access plugin for WordPress. The vulnerability exists in the output() function, which fails to properly limit pathname inputs to a restricted directory. This flaw allows authenticated attackers with Subscriber-level privileges or higher to manipulate file paths and access arbitrary files on the server filesystem. Since WordPress Subscriber roles are commonly assigned to registered users with minimal privileges, this vulnerability significantly lowers the barrier for exploitation. The attacker can read sensitive files such as wp-config.php, .env files, or other server configuration files that may contain database credentials, API keys, or other confidential data. The vulnerability has a CVSS 3.1 base score of 6.5, reflecting its medium severity with high confidentiality impact but no impact on integrity or availability. The attack vector is network-based, requires low attack complexity, privileges at the Subscriber level, and no user interaction. Although no exploits have been observed in the wild yet, the widespread use of WordPress and this plugin increases the risk of future exploitation. The vulnerability affects all versions up to and including 1.1.2 of the plugin. No official patches or updates have been linked yet, so users must implement interim mitigations. The flaw highlights the importance of proper input validation and path sanitization in plugins that control file access.

The primary impact of CVE-2025-6070 is unauthorized disclosure of sensitive information stored on the web server hosting WordPress sites using the vulnerable plugin. Attackers with minimal privileges can read arbitrary files, potentially exposing database credentials, private keys, user data, or internal configuration details. This can lead to further compromise, such as privilege escalation, data breaches, or lateral movement within the network. Organizations relying on this plugin risk data leakage that could violate privacy regulations and damage reputation. Since the vulnerability does not affect integrity or availability, it does not directly enable data modification or denial of service. However, the confidentiality breach alone is significant, especially for sites handling sensitive or regulated data. The ease of exploitation by low-privilege authenticated users increases the threat surface, particularly for sites with many registered users. The absence of known exploits in the wild currently limits immediate risk but does not preclude future attacks.

1. Immediately restrict Subscriber-level users’ ability to upload or interact with files beyond their intended scope by reviewing and tightening WordPress user role permissions. 2. Implement web application firewall (WAF) rules to detect and block suspicious path traversal patterns targeting the output() function or file access endpoints of the plugin. 3. Monitor server and application logs for unusual file access attempts, especially those involving traversal sequences like '../'. 4. Limit file system permissions on the server to ensure the web server user has the minimum necessary read access, preventing exposure of sensitive files even if traversal is attempted. 5. Disable or remove the josxha Restrict File Access plugin if immediate patching is not available and alternative access control mechanisms exist. 6. Stay alert for official patches or updates from the plugin vendor and apply them promptly once released. 7. Conduct regular security audits and penetration tests focusing on file access controls within WordPress environments. 8. Educate administrators and developers about secure coding practices related to path validation and sanitization to prevent similar vulnerabilities.