CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

BaseStableLikelihood: High

Description

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Hierarchy (View 1000)

Parents

CWE-706

Children

Related attack patterns (CAPEC)

CAPEC-126 · CAPEC-64 · CAPEC-76 · CAPEC-78 · CAPEC-79

CVEs mapped to this weakness (3,746)

page 84 of 188

CVE	Vendor / Product	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2025-53298	—	Med	0.32	4.9	0.00	Jun 27, 2025	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gioni Plugin Inspector plugin-inspector allows Path Traversal.This issue affects Plugin Inspector: from n/a through <= 1.5.
CVE-2025-5741	—	Med	0.32	4.9	0.00	Jun 10, 2025	CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause arbitrary file reads from the charging station. The exploitation of this vulnerability does require an authenticated session of the web server.
CVE-2025-47513	WordPress Infocob Crm Forms	Med	0.32	4.9	0.00	May 23, 2025	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in James Laforge Infocob CRM Forms infocob-crm-forms allows Path Traversal.This issue affects Infocob CRM Forms: from n/a through <= 2.4.0.
CVE-2025-46486	WordPress Totalprocessing Card Payments	Med	0.32	4.9	0.00	May 23, 2025	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in totalprocessing Nomupay Payment Processing Gateway totalprocessing-card-payments allows Path Traversal.This issue affects Nomupay Payment Processing Gateway: from n/a through <= 7.1.7.
CVE-2025-31827	WordPress Fonto	Med	0.32	4.9	0.00	Apr 3, 2025	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vlad.olaru Fonto fonto allows Path Traversal.This issue affects Fonto: from n/a through <= 1.2.2.
CVE-2025-31825	WordPress Category Icon	Med	0.32	4.9	0.00	Apr 3, 2025	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in pixelgrade Category Icon category-icon allows Path Traversal.This issue affects Category Icon: from n/a through <= 1.0.1.
CVE-2025-23416	—	Med	0.32	4.9	0.00	Mar 5, 2025	Path traversal may lead to arbitrary file deletion. The score without least privilege principle violation is as calculated below. In combination with other issues it may facilitate further compromise of the device. Remediation in Version 6.8.0, release date: 01-Mar-25.
CVE-2025-21095	—	Med	0.32	4.9	0.00	Mar 5, 2025	Path traversal may lead to arbitrary file download. The score without least privilege principle violation is as calculated below. In combination with other issues it may facilitate further compromise of the device. Remediation in Version 6.8.0, release date: 01-Mar-25.
CVE-2025-27274	Axelkeller Gpx Viewer	Med	0.32	4.9	0.00	Mar 3, 2025	Path Traversal: '.../...//' vulnerability in axelkeller GPX Viewer gpx-viewer allows Path Traversal.This issue affects GPX Viewer: from n/a through <= 2.2.11.
CVE-2025-26779	WordPress Keep Backup Daily	Med	0.32	4.9	0.00	Feb 16, 2025	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Fahad Mahmood Keep Backup Daily keep-backup-daily allows Path Traversal.This issue affects Keep Backup Daily: from n/a through <= 2.1.0.
CVE-2025-24961	—	Med	0.32	—	0.00	Feb 3, 2025	org.gaul S3Proxy implements the S3 API and proxies requests. Users of the filesystem and filesystem-nio2 storage backends could unintentionally expose local files to users. This issue has been addressed in version 2.6.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2025-24605	Pluginus Wolf Wordpress Posts Bulk Editor And Products Manager Professional	Med	0.32	4.9	0.00	Feb 3, 2025	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in RealMag777 WOLF bulk-editor allows Path Traversal.This issue affects WOLF: from n/a through <= 1.0.8.5.
CVE-2025-24611	WordPress Wp Ultimate Exporter	Med	0.32	4.9	0.00	Jan 24, 2025	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Smackcoders Inc., WP Ultimate Exporter wp-ultimate-exporter allows Absolute Path Traversal.This issue affects WP Ultimate Exporter: from n/a through <= 2.9.
CVE-2024-56248	WordPress Wpmastertoolkit	Med	0.32	4.9	0.01	Jan 2, 2025	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Ludwig You WPMasterToolKit wpmastertoolkit allows Path Traversal.This issue affects WPMasterToolKit: from n/a through <= 1.13.1.
CVE-2024-54452	—	Med	0.32	4.9	0.01	Dec 27, 2024	An issue was discovered in Kurmi Provisioning Suite before 7.9.0.35 and 7.10.x through 7.10.0.18. A Directory Traversal and Local File Inclusion vulnerability in the logsSys.do page allows remote attackers (authenticated as administrators) to trigger the display of unintended files. Any file accessible to the Kurmi user account could be displayed, e.g., configuration files with information such as the database password.
CVE-2024-12850	WordPress Database Backup	Med	0.32	4.9	0.02	Dec 24, 2024	The Database Backup and check Tables Automated With Scheduler 2024 plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.32 via the database_backup_ajax_download() function. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
CVE-2024-54382	Bold Themes Bold Page Builder	Med	0.32	4.9	0.01	Dec 16, 2024	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in boldthemes Bold Page Builder bold-page-builder allows Path Traversal.This issue affects Bold Page Builder: from n/a through <= 5.1.5.
CVE-2024-52396	Pluginus Wolf Wordpress Posts Bulk Editor And Products Manager Professional	Med	0.32	4.9	0.01	Nov 14, 2024	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in RealMag777 WOLF bulk-editor allows Path Traversal.This issue affects WOLF: from n/a through <= 1.0.8.3.
CVE-2024-9146	—	Med	0.32	4.9	0.01	Oct 5, 2024	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in jamesdlow CSS JS Files css-js-files allows Path Traversal.This issue affects CSS JS Files: from n/a through <= 1.5.0.
CVE-2023-23872	WordPress Gmace	Med	0.32	4.9	0.01	May 17, 2024	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in German Mesky GMAce allows Path Traversal.This issue affects GMAce: from n/a through 1.5.2.

CVE-2025-53298MedJun 27, 2025
risk 0.32cvss 4.9epss 0.00
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gioni Plugin Inspector plugin-inspector allows Path Traversal.This issue affects Plugin Inspector: from n/a through <= 1.5.
CVE-2025-5741MedJun 10, 2025
risk 0.32cvss 4.9epss 0.00
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause arbitrary file reads from the charging station. The exploitation of this vulnerability does require an authenticated session of the web server.
CVE-2025-47513MedMay 23, 2025
WordPress
Infocob Crm Forms
risk 0.32cvss 4.9epss 0.00
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in James Laforge Infocob CRM Forms infocob-crm-forms allows Path Traversal.This issue affects Infocob CRM Forms: from n/a through <= 2.4.0.
CVE-2025-46486MedMay 23, 2025
WordPress
Totalprocessing Card Payments
risk 0.32cvss 4.9epss 0.00
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in totalprocessing Nomupay Payment Processing Gateway totalprocessing-card-payments allows Path Traversal.This issue affects Nomupay Payment Processing Gateway: from n/a through <= 7.1.7.
CVE-2025-31827MedApr 3, 2025
WordPress
Fonto
risk 0.32cvss 4.9epss 0.00
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vlad.olaru Fonto fonto allows Path Traversal.This issue affects Fonto: from n/a through <= 1.2.2.
CVE-2025-31825MedApr 3, 2025
WordPress
Category Icon
risk 0.32cvss 4.9epss 0.00
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in pixelgrade Category Icon category-icon allows Path Traversal.This issue affects Category Icon: from n/a through <= 1.0.1.
CVE-2025-23416MedMar 5, 2025
risk 0.32cvss 4.9epss 0.00
Path traversal may lead to arbitrary file deletion. The score without least privilege principle violation is as calculated below. In combination with other issues it may facilitate further compromise of the device. Remediation in Version 6.8.0, release date: 01-Mar-25.
CVE-2025-21095MedMar 5, 2025
risk 0.32cvss 4.9epss 0.00
Path traversal may lead to arbitrary file download. The score without least privilege principle violation is as calculated below. In combination with other issues it may facilitate further compromise of the device. Remediation in Version 6.8.0, release date: 01-Mar-25.
CVE-2025-27274MedMar 3, 2025
Axelkeller
Gpx Viewer
risk 0.32cvss 4.9epss 0.00
Path Traversal: '.../...//' vulnerability in axelkeller GPX Viewer gpx-viewer allows Path Traversal.This issue affects GPX Viewer: from n/a through <= 2.2.11.
CVE-2025-26779MedFeb 16, 2025
WordPress
Keep Backup Daily
risk 0.32cvss 4.9epss 0.00
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Fahad Mahmood Keep Backup Daily keep-backup-daily allows Path Traversal.This issue affects Keep Backup Daily: from n/a through <= 2.1.0.
CVE-2025-24961MedFeb 3, 2025
risk 0.32cvss —epss 0.00
org.gaul S3Proxy implements the S3 API and proxies requests. Users of the filesystem and filesystem-nio2 storage backends could unintentionally expose local files to users. This issue has been addressed in version 2.6.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2025-24605MedFeb 3, 2025
Pluginus
Wolf Wordpress Posts Bulk Editor And Products Manager Professional
risk 0.32cvss 4.9epss 0.00
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in RealMag777 WOLF bulk-editor allows Path Traversal.This issue affects WOLF: from n/a through <= 1.0.8.5.
CVE-2025-24611MedJan 24, 2025
WordPress
Wp Ultimate Exporter
risk 0.32cvss 4.9epss 0.00
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Smackcoders Inc., WP Ultimate Exporter wp-ultimate-exporter allows Absolute Path Traversal.This issue affects WP Ultimate Exporter: from n/a through <= 2.9.
CVE-2024-56248MedJan 2, 2025
WordPress
Wpmastertoolkit
risk 0.32cvss 4.9epss 0.01
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Ludwig You WPMasterToolKit wpmastertoolkit allows Path Traversal.This issue affects WPMasterToolKit: from n/a through <= 1.13.1.
CVE-2024-54452MedDec 27, 2024
risk 0.32cvss 4.9epss 0.01
An issue was discovered in Kurmi Provisioning Suite before 7.9.0.35 and 7.10.x through 7.10.0.18. A Directory Traversal and Local File Inclusion vulnerability in the logsSys.do page allows remote attackers (authenticated as administrators) to trigger the display of unintended files. Any file accessible to the Kurmi user account could be displayed, e.g., configuration files with information such as the database password.
CVE-2024-12850MedDec 24, 2024
WordPress
Database Backup
risk 0.32cvss 4.9epss 0.02
The Database Backup and check Tables Automated With Scheduler 2024 plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.32 via the database_backup_ajax_download() function. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
CVE-2024-54382MedDec 16, 2024
Bold Themes
Bold Page Builder
risk 0.32cvss 4.9epss 0.01
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in boldthemes Bold Page Builder bold-page-builder allows Path Traversal.This issue affects Bold Page Builder: from n/a through <= 5.1.5.
CVE-2024-52396MedNov 14, 2024
Pluginus
Wolf Wordpress Posts Bulk Editor And Products Manager Professional
risk 0.32cvss 4.9epss 0.01
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in RealMag777 WOLF bulk-editor allows Path Traversal.This issue affects WOLF: from n/a through <= 1.0.8.3.
CVE-2024-9146MedOct 5, 2024
risk 0.32cvss 4.9epss 0.01
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in jamesdlow CSS JS Files css-js-files allows Path Traversal.This issue affects CSS JS Files: from n/a through <= 1.5.0.
CVE-2023-23872MedMay 17, 2024
WordPress
Gmace
risk 0.32cvss 4.9epss 0.01
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in German Mesky GMAce allows Path Traversal.This issue affects GMAce: from n/a through 1.5.2.