CVE-2025-54715

Vulnerability

Description

CVE-2025-54715 describes a path traversal vulnerability in the WordPress plugin "Barcode Scanner with Inventory & Order Manager" (barcode-scanner-lite-pos-to-manage-products-inventory-and-orders) by Dmitry V. (CEO of "UKR Solution"). The flaw exists in versions from n/a through 1.9.0. Due to improper limitation of a pathname to a restricted directory, an attacker can manipulate file paths to traverse outside the intended directory.

Attack

Vector

The vulnerability can be exploited without authentication, as the plugin fails to properly validate and sanitize file path inputs [1]. An attacker only needs network access to the WordPress site and the ability to send crafted HTTP requests. The issue is categorized as an arbitrary file download, meaning the attacker can specify which file on the server to retrieve.

Impact

Successful exploitation allows a malicious actor to download any file from the vulnerable website's filesystem. This includes sensitive files such as wp-config.php (containing database credentials), backup archives, or other files that may disclose login credentials or proprietary data [1]. The CVSS v3 base score is 4.9 (Medium), reflecting the potential for information disclosure.

Mitigation

The vulnerability affects plugin versions up to and including 1.9.0. Users are strongly advised to update the plugin to the latest available version, as security patches have been issued. If immediate update is not possible, contact the hosting provider or a web developer for assistance [1]. This type of flaw is known to be targeted in mass-exploit campaigns against WordPress sites.