CVE-2025-46486

Vulnerability

Description The Nomupay Payment Processing Gateway plugin for WordPress (versions up to and including 7.1.7) contains a path traversal vulnerability due to improper limitation of a pathname to a restricted directory [1]. This vulnerability, classified as CVE-2025-46486, allows an attacker to traverse outside the intended directory and access arbitrary files on the server.

Exploitation

Attackers can exploit this vulnerability without requiring authentication, making it particularly dangerous for unpatched sites. The path traversal flaw enables an attacker to manipulate file paths in requests, potentially reading sensitive files such as wp-config.php, which contains database credentials, or other configuration and backup files [1]. The lack of proper input filtering or validation on file paths is the root cause.

Impact

If successfully exploited, an attacker could download arbitrary files from the affected WordPress installation. This includes files containing login credentials, database connection strings, and backup archives, which could lead to further compromise of the site or its data. The CVSS v3 base score of 4.9 (Medium) reflects the confidentiality impact, although the vulnerability is expected to be used in mass-exploit campaigns due to the popularity of the plugin [1].

Mitigation

The plugin vendor has released version 7.1.8, which patches the vulnerability. Users are strongly advised to update immediately to version 7.1.8 or later [1]. For those unable to update, Patchstack provides a mitigation rule that blocks attacks until an update can be applied. Automating plugin updates is recommended to reduce the window of exposure [1].