Wiz
Vulnerability DatabaseCVE-2025-26905

CVE-2025-26905
WordPress vulnerability analysis and mitigation

Overview

A Local File Inclusion vulnerability (CVE-2025-26905) was discovered in the Estatik WordPress plugin affecting versions up to 4.1.9. The vulnerability was reported by João Pedro S Alcântara on July 11, 2024, and was publicly disclosed on February 23, 2025. The issue stems from improper limitation of pathname to a restricted directory, allowing potential path traversal attacks (Patchstack).

Technical details

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and has received a CVSS v3.1 score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability requires contributor-level privileges to exploit (Patchstack, NVD).

Impact

The vulnerability could allow an attacker to include local files of the target website and display their contents. This could potentially lead to exposure of sensitive information, including database credentials, which might result in complete database compromise depending on the system configuration (Patchstack).

Mitigation and workarounds

As of the disclosure date, no official fix has been released for this vulnerability. The issue affects versions up to 4.1.9 of the Estatik plugin (Patchstack).

Additional resources

SourceThis report was generated using AI

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues

Cloud threat landscape

Cloud threat landscape

A comprehensive threat intelligence database of cloud security incidents, actors, tools and techniques

PEACH

PEACH

A step-by-step framework for modeling and improving SaaS and PaaS tenant isolation

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo