CVE-2025-7518 is a path traversal vulnerability identified in the RSFirewall! plugin for WordPress, developed by rsjoomla. This vulnerability affects all versions up to and including 1.1.42. The flaw exists in the get_local_filename() function, which improperly limits pathname access, allowing an authenticated attacker with Administrator-level privileges or higher to read arbitrary files on the server. Path traversal vulnerabilities (CWE-22) occur when user-supplied input is not properly sanitized, enabling attackers to navigate outside the intended directory structure. In this case, the attacker can exploit the vulnerability to access sensitive files such as configuration files, database credentials, or other critical data stored on the server. The vulnerability requires authentication with high privileges, so it is not exploitable by unauthenticated users or those with lower privilege levels. The CVSS v3.1 base score is 4.9 (medium severity), reflecting the network attack vector, low attack complexity, required privileges (high), no user interaction, unchanged scope, and high impact on confidentiality but no impact on integrity or availability. There are no known exploits in the wild at the time of publication, and no patches have been linked yet. The vulnerability's impact is primarily on confidentiality, as it allows unauthorized reading of sensitive files but does not permit modification or denial of service.

For European organizations using WordPress with the RSFirewall! plugin, this vulnerability poses a risk of sensitive data exposure. Organizations that rely on RSFirewall! for security monitoring and firewall capabilities may have a false sense of security if this plugin is compromised. An attacker with administrator access could leverage this vulnerability to extract configuration files, credentials, or other sensitive information, potentially leading to further compromise or data breaches. This is particularly concerning for organizations handling personal data subject to GDPR, as unauthorized disclosure could result in regulatory penalties and reputational damage. The requirement for administrator-level access limits the threat to insiders or attackers who have already compromised an admin account, but the risk remains significant in environments where credential theft or privilege escalation is possible. Additionally, the vulnerability could be exploited as part of a multi-stage attack, where initial access is gained through phishing or other means, followed by exploitation of this flaw to deepen access and exfiltrate data.

1. Immediate mitigation should include restricting administrator account access through strong authentication methods such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 2. Monitor and audit administrator account activities for unusual behavior that could indicate exploitation attempts. 3. Limit the number of users with administrator privileges to the minimum necessary. 4. Apply principle of least privilege on server file permissions to restrict access to sensitive files, reducing the impact of path traversal. 5. Regularly update the RSFirewall! plugin as soon as a security patch is released by the vendor. 6. Implement Web Application Firewall (WAF) rules to detect and block path traversal attempts targeting the get_local_filename() function or related endpoints. 7. Conduct internal security assessments and penetration tests focusing on privilege escalation and file access vulnerabilities. 8. Educate administrators on secure credential management and recognizing phishing attempts to prevent initial compromise.