CVE-2025-8422 is an arbitrary file read vulnerability classified under CWE-73 (External Control of File Name or Path) found in the Propovoice: All-in-One Client Management System plugin for WordPress. The vulnerability exists in the send_email() function, which improperly handles file path inputs, allowing unauthenticated attackers to specify arbitrary file paths on the server. This flaw enables attackers to read sensitive files such as configuration files, password stores, or other confidential data residing on the server filesystem. The vulnerability affects all versions up to and including 1.7.6.7. Exploitation requires no authentication or user interaction, making it highly accessible to remote attackers. The vulnerability was publicly disclosed on September 11, 2025, with a CVSS v3.1 base score of 7.5, reflecting its high impact on confidentiality with no impact on integrity or availability. No patches or official fixes have been released at the time of disclosure, and no known exploits have been observed in the wild. The vulnerability poses a significant risk to organizations using this plugin, especially those managing sensitive client data via WordPress. Attackers could leverage this flaw to gather intelligence or escalate further attacks by harvesting sensitive information from the server.

The primary impact of CVE-2025-8422 is the unauthorized disclosure of sensitive information stored on the server hosting the vulnerable WordPress plugin. This can lead to exposure of credentials, configuration files, or other private data, potentially enabling further attacks such as privilege escalation, lateral movement, or targeted phishing. Since the vulnerability requires no authentication or user interaction, it can be exploited remotely by any attacker with network access to the affected server. Organizations using the Propovoice plugin for client management are at risk of data breaches, which could result in reputational damage, regulatory penalties, and operational disruptions. The scope of impact is limited to servers running the vulnerable plugin versions, but given WordPress's widespread use, the potential attack surface is significant. The lack of integrity or availability impact means the vulnerability does not directly allow data modification or service disruption, but the confidentiality breach alone is critical in environments handling sensitive client information.

1. Immediately audit all WordPress installations for the presence of the Propovoice: All-in-One Client Management System plugin and identify versions up to 1.7.6.7. 2. If possible, disable or remove the vulnerable plugin until a security patch or update is released by the vendor. 3. Implement strict file system permissions on the web server to restrict access to sensitive files, minimizing the impact of arbitrary file reads. 4. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the send_email() function or attempts to access arbitrary file paths. 5. Monitor server logs for unusual file access patterns or repeated requests to the vulnerable endpoint. 6. Segregate sensitive data storage from the web server environment to reduce exposure. 7. Stay informed about vendor updates and apply patches promptly once available. 8. Consider using security plugins or tools that can detect and prevent path traversal or arbitrary file read attempts. 9. Conduct regular security assessments and penetration tests focusing on file inclusion and path traversal vulnerabilities.