Description
Bit Assist plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.2 via the fileID Parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Published: 2025-02-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality Breach
Action: Apply Patch
AI Analysis

Impact

Bit Assist for WordPress is vulnerable to a path traversal flaw that allows an authenticated attacker with a Subscriber role or higher to access arbitrary files via the fileID parameter. This flaw enables the attacker to read sensitive files on the server, potentially exposing credentials, configuration data, or other confidential information. The vulnerability is identified as a classic directory traversal weakness and is further classified under CWE-22 and CWE-23.

Affected Systems

WordPress installations running the Bit Assist plugin version 1.5.2 or earlier are affected. The vulnerability applies to all releases up to and including 1.5.2, regardless of the site’s theme or other plugins. Users of the bitapps Bit Assist plugin with Subscriber‑level or higher privileges are at risk.

Risk and Exploitability

The CVSS base score of 6.5 indicates a medium severity level, and the EPSS score of less than 1% suggests a very low probability of exploitation at the time of assessment. The vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector requires authentication, specifically a Subscriber or higher role, but once authenticated the attacker can freely read any file on the server through crafted fileID values.

Generated by OpenCVE AI on April 21, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Bit Assist to version 1.5.3 or later or completely uninstall the plugin if it is no longer needed.
  • Restrict the plugin’s functionality so that only privileged administrators can use the fileID parameter, effectively removing access for Subscriber accounts.
  • Implement or enforce file path validation rules in the WordPress environment to guard against directory traversal or other file inclusion attempts.
  • Review and tighten file and directory permissions on the web server to limit exposure of sensitive files to the web process.

Generated by OpenCVE AI on April 21, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-1885 Bit Assist plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.2 via the fileID Parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
History

Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00055}

 epss

{'score': 0.00084}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00077}

 epss

{'score': 0.00055}

Mon, 24 Feb 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Bitapps
Bitapps bit Assist
Weaknesses CWE-22
CPEs cpe:2.3:a:bitapps:bit_assist:*:*:*:*:*:wordpress:*:*
Vendors & Products Bitapps
Bitapps bit Assist

Tue, 18 Feb 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 15 Feb 2025 13:00:00 +0000

Type Values Removed Values Added
Description Bit Assist plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.2 via the fileID Parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Title Bit Assist <= 1.5.2 - Path Traversal to Authenticated (Subscriber+) Arbitrary File Read via fileID Parameter
Weaknesses CWE-23
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Bitapps Bit Assist
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:22.293Z

Reserved: 2025-01-29T01:02:46.838Z

Link: CVE-2025-0822

cve-icon Vulnrichment

Updated: 2025-02-18T16:41:43.681Z

cve-icon NVD

Status : Analyzed

Published: 2025-02-15T13:15:28.847

Modified: 2025-02-24T12:36:46.670

Link: CVE-2025-0822

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:30:06Z

Weaknesses