CVE-2025-9345 is a path traversal vulnerability affecting the WordPress plugin 'File Manager, Code Editor, and Backup by Managefy' developed by softdiscover. This vulnerability exists in all versions up to and including 1.4.8 and is exploitable via the ajax_downloadfile() function. The flaw allows authenticated users with Subscriber-level access or higher to manipulate file paths and access files outside the intended directory scope. This improper limitation of pathname (CWE-22) enables attackers to read arbitrary files on the server, potentially exposing sensitive information such as configuration files, credentials, or other protected data. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS v3.1 base score is 4.9 (medium severity), reflecting the network attack vector, low attack complexity, and the requirement for privileges (authenticated users). The impact is primarily on confidentiality, as the vulnerability allows unauthorized reading of files but does not affect integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked yet. Given the plugin's integration with WordPress, a widely used CMS, this vulnerability could be leveraged in targeted attacks against websites that use this plugin, especially those with multiple user roles and subscribers.

For European organizations, this vulnerability poses a moderate risk primarily to websites and web applications running WordPress with the affected plugin installed. Confidentiality breaches could lead to exposure of sensitive corporate data, intellectual property, or personal data protected under GDPR, potentially resulting in regulatory penalties and reputational damage. Attackers gaining access to configuration files or credentials could further escalate attacks, pivoting to other internal systems. Since the vulnerability requires authenticated access at Subscriber level or above, organizations with lax user access controls or many registered users are at higher risk. The impact is heightened for sectors with stringent data protection requirements such as finance, healthcare, and government. Additionally, websites serving as customer portals or handling personal data could be compromised, leading to data leaks. Although the vulnerability does not directly affect system integrity or availability, the confidentiality impact alone warrants attention. The lack of known exploits suggests a window of opportunity for proactive mitigation before widespread exploitation occurs.

European organizations should immediately audit their WordPress installations to identify the presence of the 'File Manager, Code Editor, and Backup by Managefy' plugin. If found, restrict plugin usage to trusted administrators only or disable it until a patch is available. Implement strict user role management to limit Subscriber-level access and review user accounts for unnecessary privileges. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious ajax_downloadfile() requests that attempt path traversal patterns (e.g., '../'). Monitor web server logs for anomalous file access attempts outside expected directories. Encourage plugin vendors to release patches promptly and apply updates as soon as they become available. Additionally, consider isolating WordPress instances in segmented network zones to limit lateral movement if compromised. Regularly back up website data and configurations securely to enable recovery in case of compromise. Finally, conduct security awareness training for administrators on the risks of plugin vulnerabilities and the importance of timely patching.