Description
The EmailKit plugin for WordPress is vulnerable to Arbitrary File Read via Path Traversal in all versions up to, and including, 1.6.1. This is due to missing path validation in the create_template REST API endpoint where user-controlled input from the emailkit-editor-template parameter is passed directly to file_get_contents() without sanitization. This makes it possible for authenticated attackers with Author-level permissions or higher to read arbitrary files on the server, including sensitive configuration files like /etc/passwd and wp-config.php, via the REST API. The file contents are stored in post meta and can be exfiltrated through MetForm's email confirmation feature.
Published: 2026-01-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: File Disclosure via Path Traversal
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the EmailKit plugin’s REST API endpoint create_template, where the emailkit‑editor‑template parameter is passed directly to file_get_contents() without validation. This omission allows an authenticated user with Author-level or higher permissions to include a crafted path that resolves to arbitrary files on the server, such as /etc/passwd or wp-config.php. The attacker’s ability to read these files amounts to a confidentiality breach, exposing sensitive configuration data and potentially credentials. The weakness is identified as Path Traversal (CWE‑73).

Affected Systems

Any WordPress site using the EmailKit – Email Customizer for WooCommerce & WP plugin, versions up to and including 1.6.1. The issue affects all installations of the plugin where the create_template endpoint is active.

Risk and Exploitability

With a CVSS score of 6.5 the vulnerability is considered moderate severity. The EPSS score is below 1 % and the vulnerability is not listed in CISA’s KEV catalog, indicating that, while the risk of exploitation is currently low, it remains realistic for victims who have authorized authorship access. An attacker would need only normal author privileges to send a crafted request to the REST API, read any file the web server can access, and exfiltrate the contents via post meta saved in the plugin’s database. The potential impact is limited to confidentiality loss of server files but could enable further attacks if sensitive files are accessed.

Generated by OpenCVE AI on April 22, 2026 at 00:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the EmailKit plugin to the latest available version that removes the unauthenticated use of file_get_contents() and validates file paths.
  • If an update is unavailable, temporarily disable the create_template REST API endpoint or revoke Author-level permissions that allow access to it.
  • Apply input validation to the emailkit-editor-template parameter, restricting file access to a safe directory or whitelist of known files.

Generated by OpenCVE AI on April 22, 2026 at 00:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 07 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Roxnor
Roxnor emailkit
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Roxnor
Roxnor emailkit
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Wed, 07 Jan 2026 04:00:00 +0000

Type Values Removed Values Added
Description The EmailKit plugin for WordPress is vulnerable to Arbitrary File Read via Path Traversal in all versions up to, and including, 1.6.1. This is due to missing path validation in the create_template REST API endpoint where user-controlled input from the emailkit-editor-template parameter is passed directly to file_get_contents() without sanitization. This makes it possible for authenticated attackers with Author-level permissions or higher to read arbitrary files on the server, including sensitive configuration files like /etc/passwd and wp-config.php, via the REST API. The file contents are stored in post meta and can be exfiltrated through MetForm's email confirmation feature.
Title EmailKit <= 1.6.1 - Authenticated (Author+) Arbitrary File Read via Path Traversal
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Roxnor Emailkit
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:09:19.168Z

Reserved: 2025-12-04T19:21:34.885Z

Link: CVE-2025-14059

cve-icon Vulnrichment

Updated: 2026-01-07T14:53:17.315Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T12:16:51.647

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14059

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:15:03Z

Weaknesses