CVE-2025-68002

The Open User Map plugin for WordPress versions 1.4.16 and below contains a path traversal vulnerability, identified as CVE-2025-68002. The plugin fails to properly restrict file paths, allowing an attacker to traverse directories and access files outside the intended scope [1].

Exploitation requires no authentication and can be performed over the network with low complexity. Attackers can craft requests to download arbitrary files from the server, including configuration files containing database credentials, backup files, or other sensitive data [1].

The impact is significant: an attacker can extract login credentials, access keys, or other secrets, potentially leading to full site compromise. Given the ease of exploitation and the value of stolen data, this vulnerability is expected to be used in mass exploitation campaigns targeting thousands of WordPress sites [1].

As a mitigation, users should update the plugin to version 1.4.17 or later, which patches the vulnerability. Patchstack has released a virtual mitigation rule to block attacks until the update is applied [1].