CVE-2025-9345 is a path traversal vulnerability classified under CWE-22, affecting the softdiscover File Manager, Code Editor, and Backup by Managefy plugin for WordPress. The vulnerability exists in all versions up to and including 1.4.8 and is exploitable via the ajax_downloadfile() function. This function fails to properly restrict the pathname input, allowing authenticated attackers with Subscriber-level access or higher to traverse directories and access files outside the intended restricted directory. The flaw enables unauthorized reading of sensitive files on the server, potentially exposing confidential information. The vulnerability does not allow modification or deletion of files (no integrity or availability impact), but the confidentiality impact is high. Exploitation requires authentication but no user interaction beyond that. The CVSS 3.1 score of 4.9 reflects a medium severity rating, considering the network attack vector, low attack complexity, and required privileges. No patches or exploits are currently publicly available, but the vulnerability poses a risk to WordPress sites using this plugin, especially those with multiple users having Subscriber or higher roles. This vulnerability underscores the critical need for secure coding practices around file path handling and access control in web applications.

The primary impact of CVE-2025-9345 is unauthorized disclosure of sensitive files on affected WordPress sites. Attackers with low-level authenticated access can read files outside the plugin's intended directory, potentially exposing configuration files, credentials, or other sensitive data. This can lead to further attacks such as credential theft, site compromise, or data leakage. Although the vulnerability does not allow file modification or deletion, the confidentiality breach alone can have serious consequences for organizations, including data privacy violations and reputational damage. The ease of exploitation (low complexity, network accessible) combined with the widespread use of WordPress and the plugin increases the risk of targeted attacks. Organizations with multiple users having Subscriber or higher roles are particularly vulnerable. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future exploitation. Overall, the vulnerability poses a moderate risk to organizations relying on this plugin for file management and backup operations.

To mitigate CVE-2025-9345, organizations should first check for updates from the vendor and apply any patches as soon as they become available. In the absence of an official patch, administrators should consider disabling or uninstalling the vulnerable plugin to eliminate exposure. Restricting user roles and permissions to the minimum necessary can reduce the attack surface; specifically, limiting Subscriber-level users from accessing the ajax_downloadfile() functionality or the plugin entirely. Implementing web application firewalls (WAFs) with rules to detect and block path traversal attempts targeting ajax_downloadfile() requests can provide interim protection. Additionally, monitoring server logs for suspicious file access patterns and conducting regular security audits of WordPress plugins can help detect exploitation attempts early. Developers and administrators should review and harden input validation and access controls in custom or third-party plugins to prevent similar vulnerabilities. Finally, educating users about the risks of unauthorized plugin installations and enforcing strict plugin management policies will reduce future risks.