CVE-2025-47650

Vulnerability

Overview

CVE-2025-47650 is a path traversal vulnerability in the Infility Global WordPress plugin (versions up to 2.15.06). The plugin fails to properly restrict file paths when handling user-supplied input, allowing an attacker to traverse outside the intended directory. This is a classic path traversal flaw (CWE-22) where the application does not validate or sanitize the path parameter, enabling access to files outside the web root [1].

Exploitation

The vulnerability can be exploited without authentication, making it accessible to any remote attacker. By crafting a request with directory traversal sequences (e.g., ../), an attacker can read arbitrary files from the server's filesystem. The attack requires no special privileges or user interaction, and the plugin's widespread use in WordPress sites increases the potential attack surface [1].

Impact

Successful exploitation allows an attacker to download sensitive files, including configuration files containing database credentials, wp-config.php, or other files with login credentials. This could lead to complete site compromise, data breaches, or further lateral movement within the hosting environment. The vendor advisory notes that this type of vulnerability is frequently used in mass-exploit campaigns targeting thousands of sites [1].

Mitigation

The vendor has released a patched version; users should update Infility Global to the latest available version immediately. If updating is not possible, a web application-level firewalls or file access restrictions may provide temporary mitigation, but the only complete fix is to apply the vendor's patch [1].