Description
The Simple Download Counter plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.2.2. This is due to insufficient path validation in the `simple_download_counter_parse_path()` function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which may contain sensitive information such as database credentials (wp-config.php) or system files. Please note that the vendor opted to continue to allow remote file downloads from arbitrary locations on the server, however, has disabled this functionality on multi-sites and provided a warning to site owners in the readme.txt when they install the plugin. While not an optimal patch, we have considered this sufficient and recommend users proceed to use the plugin with caution.
Published: 2025-12-10
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read via Path Traversal
Action: Apply Patch
AI Analysis

Impact

The Simple Download Counter WordPress plugin contains a path‑traversal flaw in the function simple_download_counter_parse_path. An attacker who has Administrator or higher privileges can supply a crafted filename and cause the plugin to read files outside the intended directory. This allows the reading of sensitive files such as wp‑config.php, potentially exposing database credentials or other confidential data. The weakness, classified as CWE‑22, leads to an arbitrary file read rather than code execution.

Affected Systems

Affected products are the Simple Download Counter plugin for WordPress, version 2.2.2 and all earlier releases. The vendor, specialk, has not released a fixed version yet, but has disabled remote file downloads on multisite installations. No other WordPress plugins or software are listed as impacted.

Risk and Exploitability

The CVSS score of 4.9 indicates moderate severity, and the EPSS score of less than 1% shows a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Because the issue requires authenticated access with Administrator privileges, it is most likely to be abused in trusted sites that have compromised admin credentials or by insider threats. The path traversal can be triggered remotely via the plugin’s admin interface, so any site that still runs the unpatched plugin is potentially vulnerable.

Generated by OpenCVE AI on April 21, 2026 at 00:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Simple Download Counter plugin to a version that removes the path‑traversal flaw if a fix is released.
  • If a fix is not yet available, consider disabling or uninstalling the plugin to eliminate the attack surface.
  • Restrict the file system permissions so that the web‑server user cannot read sensitive directories such as wp‑config.php, and use an .htaccess rule or server configuration to block direct file read attempts through the plugin.

Generated by OpenCVE AI on April 21, 2026 at 00:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 10 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Dec 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Simple Download Counter plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.2.2. This is due to insufficient path validation in the `simple_download_counter_parse_path()` function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which may contain sensitive information such as database credentials (wp-config.php) or system files. Please note that the vendor opted to continue to allow remote file downloads from arbitrary locations on the server, however, has disabled this functionality on multi-sites and provided a warning to site owners in the readme.txt when they install the plugin. While not an optimal patch, we have considered this sufficient and recommend users proceed to use the plugin with caution.
Title Simple Download Counter <= 2.2.2 - Authenticated (Administrator+) Arbitrary File Read via Path Traversal
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:17:44.734Z

Reserved: 2025-11-25T18:46:51.542Z

Link: CVE-2025-13677

cve-icon Vulnrichment

Updated: 2025-12-10T15:23:22.349Z

cve-icon NVD

Status : Deferred

Published: 2025-12-10T04:15:57.843

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13677

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:00:12Z

Weaknesses