Description
The WatchTowerHQ plugin for WordPress is vulnerable to arbitrary file read via the 'wht_download_big_object_origin' parameter in all versions up to, and including, 3.16.0. This is due to insufficient path validation in the handle_big_object_download_request function. This makes it possible for authenticated attackers, with administrator-level access and a valid access token, to read arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys.
Published: 2025-12-12
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read
Action: Immediate Patch
AI Analysis

Impact

The WatchTowerHQ plugin for WordPress contains an insufficient path validation flaw in the handle_big_object_download_request function. This flaw allows an attacker who is authenticated as an administrator and possesses a valid access token to read any file on the server by providing a crafted 'wht_download_big_object_origin' parameter. The attacker could expose sensitive data such as database credentials or authentication keys.

Affected Systems

All versions of the WatchTowerHQ WordPress plugin up to and including 3.16.0 are affected. The vulnerability is present in the plugin regardless of the WordPress installation version, and any site running the affected plugin will be susceptible.

Risk and Exploitability

With a CVSS score of 4.9, the vulnerability is considered moderate in severity, and the EPSS score of less than 1% indicates a very low likelihood of exploitation at this time. The flaw is not listed in the CISA KEV catalogue, further suggesting limited public exploitation. However, the requirement for administrator-level access means that only a subset of users could exploit this vulnerability, and successful exploitation would provide the attacker with read access to arbitrary files on the underlying server, potentially exposing critical configuration files and credentials. Since the flaw is limited to authenticated users, an attacker would first need to compromise or obtain credentials with administrative privileges to trigger the path traversal bug.

Generated by OpenCVE AI on April 22, 2026 at 16:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WatchTowerHQ plugin to a version newer than 3.16.0 that contains the path‑validation fix.
  • Revoke or reduce administrator privileges for accounts that do not require full control, enforcing the principle of least privilege.
  • Review and restrict file permissions on the WordPress installation, ensuring that the web server account has no unnecessary read access to sensitive files; apply additional protections such as .htaccess or server‑level controls where appropriate.

Generated by OpenCVE AI on April 22, 2026 at 16:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description The WatchTowerHQ plugin for WordPress is vulnerable to arbitrary file read via the 'wht_download_big_object_origin' parameter in all versions up to, and including, 3.15.0. This is due to insufficient path validation in the handle_big_object_download_request function. This makes it possible for authenticated attackers, with administrator-level access and a valid access token, to read arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys. The WatchTowerHQ plugin for WordPress is vulnerable to arbitrary file read via the 'wht_download_big_object_origin' parameter in all versions up to, and including, 3.16.0. This is due to insufficient path validation in the handle_big_object_download_request function. This makes it possible for authenticated attackers, with administrator-level access and a valid access token, to read arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys.
Title WatchTowerHQ <= 3.15.0 - Authenticated (Administrator+) Arbitrary File Read via 'wht_download_big_object_origin' Parameter WatchTowerHQ <= 3.16.0 - Authenticated (Administrator+) Arbitrary File Read via 'wht_download_big_object_origin' Parameter

Mon, 15 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Watchtowerhq
Watchtowerhq watchtower
Wordpress
Wordpress wordpress
Vendors & Products Watchtowerhq
Watchtowerhq watchtower
Wordpress
Wordpress wordpress

Fri, 12 Dec 2025 03:45:00 +0000

Type Values Removed Values Added
Description The WatchTowerHQ plugin for WordPress is vulnerable to arbitrary file read via the 'wht_download_big_object_origin' parameter in all versions up to, and including, 3.15.0. This is due to insufficient path validation in the handle_big_object_download_request function. This makes it possible for authenticated attackers, with administrator-level access and a valid access token, to read arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys.
Title WatchTowerHQ <= 3.15.0 - Authenticated (Administrator+) Arbitrary File Read via 'wht_download_big_object_origin' Parameter
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Watchtowerhq Watchtower
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:36:42.928Z

Reserved: 2025-12-03T15:58:53.268Z

Link: CVE-2025-13972

cve-icon Vulnrichment

Updated: 2025-12-15T18:08:25.910Z

cve-icon NVD

Status : Deferred

Published: 2025-12-12T04:15:45.183

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13972

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T16:30:22Z

Weaknesses