CVE-2025-47513

Vulnerability

Description

The Infocob CRM Forms plugin for WordPress (versions 2.4.0 and earlier) is vulnerable to a path traversal attack. The vulnerability stems from improper limitation of a pathname to a restricted directory, allowing an attacker to read files outside the intended scope. This type of flaw is commonly exploited in mass campaigns that target unpatched plugins. [1]

Exploitation

Attackers can exploit this vulnerability remotely without requiring authentication, making it easy to incorporate into automated attacks. By crafting a malicious request, they can traverse directories and download sensitive files such as wp-config.php (which contains database credentials) or backup files located elsewhere on the server. The moderately severe CVSS v3 score of 4.9 reflects the limited but real impact. [1]

Impact and

Mitigation

Successful exploitation can expose sensitive information, including login credentials and database details, potentially leading to further compromise of the WordPress site. The vendor has released version 2.4.1 to patch the flaw. Users are strongly advised to update immediately. If updating is not possible, implementing a Web Application Firewall (WAF) rule or using Patchstack's mitigation rule can block attacks until the update is applied. [1]