CVE-2025-24569
Description
Path Traversal in PDF Generator Addon for Elementor Page Builder allows an attacker to read arbitrary files on the server (<= 1.7.5).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Path Traversal in PDF Generator Addon for Elementor Page Builder allows an attacker to read arbitrary files on the server (<= 1.7.5).
Vulnerability
The PDF Generator Addon for Elementor Page Builder plugin for WordPress (versions from n/a through 1.7.5) suffers from an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [1]. This allows an attacker to traverse outside the intended directory and access arbitrary files on the server. The plugin's path handling does not sufficiently sanitize user-supplied input, enabling directory traversal sequences to be injected. Versions 1.7.5 and earlier are affected; version 2.2.0 (and presumably later) are not vulnerable [1].
Exploitation
The attacker needs to have access to the plugin's functionality that processes file paths (likely via the PDF generation feature). No authentication is explicitly mentioned as required, but it may depend on the site configuration. The attacker can craft a request with path traversal sequences (e.g., ../) to read files outside the allowed directory. The specific attack vector is network-based, and no user interaction beyond the initial request is needed. Approximately 57,989 downloads of the vulnerable plugin were recorded [1], indicating significant exposure.
Impact
Successful exploitation allows an attacker to read arbitrary files from the server's filesystem, including sensitive files such as wp-config.php, database configuration files, or other site secrets. This constitutes a confidentiality breach (Information Disclosure). The attacker can potentially obtain credentials, API keys, and other sensitive data. The vulnerability has a CVSS v3 score of 7.5 (High), reflecting the ease of exploitation and potential impact.
Mitigation
The fixed version is 2.2.0, released on 2026-02-10 (according to the plugin repository) [1]. All users should update to version 2.2.0 or later immediately. For users unable to update, no workaround is provided in the references. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at this time. Site administrators should also ensure that file permissions are properly restricted to limit the blast radius even if the plugin is exploited.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.7.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.