CVE-2025-8562 is a path traversal vulnerability identified in the Custom Query Shortcode plugin for WordPress, developed by peterhebert. This vulnerability affects all versions up to and including 0.4.0. The flaw resides in the handling of the 'lens' parameter, which is improperly sanitized, allowing authenticated users with Contributor-level access or higher to manipulate the pathname and access files outside the intended directory scope. This CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) vulnerability enables attackers to read arbitrary files on the server, potentially exposing sensitive information such as configuration files, credentials, or other private data. The vulnerability does not require user interaction beyond authentication and has a CVSS 3.1 base score of 6.5, indicating a medium severity level. The attack vector is network-based (remote), with low attack complexity and privileges required at the Contributor level, but no user interaction is needed. The vulnerability impacts confidentiality but does not affect integrity or availability. No known exploits are currently reported in the wild, and no official patches have been released as of the publication date (August 25, 2025).

For European organizations using WordPress sites with the Custom Query Shortcode plugin, this vulnerability poses a significant risk to the confidentiality of sensitive data stored on web servers. Attackers with Contributor-level access—which is a relatively low privilege level—can exploit this flaw to read files outside the intended directories. This can lead to exposure of critical information such as database credentials, private keys, or proprietary business data. Such data leaks can facilitate further attacks, including privilege escalation, lateral movement, or targeted phishing campaigns. Given the widespread use of WordPress across European enterprises, including SMEs and large organizations, the risk is non-trivial. The vulnerability does not directly impact system integrity or availability, but the confidentiality breach alone can have severe regulatory and reputational consequences, especially under GDPR requirements for data protection and breach notification. Additionally, the lack of known exploits in the wild currently provides a window for proactive mitigation before widespread exploitation occurs.

European organizations should immediately audit their WordPress installations to identify the presence of the Custom Query Shortcode plugin, particularly versions up to 0.4.0. Since no official patch is available yet, organizations should consider the following specific mitigations: 1) Restrict Contributor-level access strictly to trusted users and review user roles to minimize unnecessary privileges. 2) Implement web application firewall (WAF) rules to detect and block suspicious requests attempting path traversal via the 'lens' parameter. 3) Employ file system permissions to limit the web server's access to sensitive files, ensuring that even if path traversal is attempted, critical files remain inaccessible. 4) Monitor server logs for unusual file access patterns or requests targeting the vulnerable parameter. 5) Consider temporarily disabling or removing the plugin until a secure version is released. 6) Stay updated with vendor advisories and apply patches as soon as they become available. 7) Conduct internal security awareness training to ensure developers and administrators understand the risks associated with plugin vulnerabilities and privilege management.