Description
The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in `getExtensionForURL()` which operates on URL-decoded paths, and `appendNormalized()` which strips everything after a null byte before constructing the filesystem path. This makes it possible for unauthenticated attackers to read arbitrary files from the webroot, including wp-config.php, by appending a double URL-encoded null byte (%2500) followed by an allowed extension (.txt) to the file path.
Published: 2025-12-23
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Arbitrary File Read
Action: Immediate Patch
AI Analysis

Impact

The PhastPress plugin for WordPress is vulnerable to an unauthenticated arbitrary file read via null byte injection in all releases up to and including version 3.7. The flaw originates from a mismatch between the extension validation logic, which operates on URL‑decoded paths, and the path‑construction routine that strips content after a null byte. An attacker can craft a URL containing a double URL‑encoded null byte (%2500) followed by a permitted extension and cause the plugin to read and return any file from the webroot, including sensitive files such as wp-config.php. This exposes confidential configuration data and could enable further compromise.

Affected Systems

The affected product is the PhastPress WordPress plugin developed by Kiboit. All releases up to and including version 3.7 of the plugin are affected. WordPress sites that have not upgraded beyond 3.7 while the plugin remains active are at risk.

Risk and Exploitability

The CVSS base score is 9.8, marking the flaw as critical. The EPSS score is below 1 %, indicating a low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Still, the attack is straightforward: an unauthenticated visitor can send a crafted request with a double‑encoded null byte and an allowed extension to the site, triggering the plugin to read arbitrary files from the webroot. No authentication, privileged access, or complex configuration is required for exploitation.

Generated by OpenCVE AI on April 20, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the PhastPress plugin to a version newer than 3.7 or replace it with a secure alternative.
  • If an upgrade is not available, disable or uninstall PhastPress to eliminate the vulnerability.
  • Implement additional input validation or server‑side filtering to reject null byte characters (%00) in URLs before they reach the plugin’s file‑access logic, thereby mitigating the risk of null byte injection.

Generated by OpenCVE AI on April 20, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Dec 2025 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Kiboit
Kiboit phastpress
Wordpress
Wordpress wordpress
Vendors & Products Kiboit
Kiboit phastpress
Wordpress
Wordpress wordpress

Tue, 23 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 23 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
Description The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in `getExtensionForURL()` which operates on URL-decoded paths, and `appendNormalized()` which strips everything after a null byte before constructing the filesystem path. This makes it possible for unauthenticated attackers to read arbitrary files from the webroot, including wp-config.php, by appending a double URL-encoded null byte (%2500) followed by an allowed extension (.txt) to the file path.
Title PhastPress <= 3.7 - Unauthenticated Arbitrary File Read via Null Byte Injection
Weaknesses CWE-158
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Kiboit Phastpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:31:49.693Z

Reserved: 2025-12-09T20:27:24.165Z

Link: CVE-2025-14388

cve-icon Vulnrichment

Updated: 2025-12-23T15:23:51.757Z

cve-icon NVD

Status : Deferred

Published: 2025-12-23T10:15:43.673

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14388

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:30:18Z

Weaknesses