CVE-2025-14867 - Vulnerability Details

- Flashcard Plugin for WordPress <= 0.9 - Authenticated (Contributor+) Arbitrary File Read via Path Traversal

Description

The Flashcard plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.9 via the 'source' attribute of the 'flashcard' shortcode. This makes it possible for authenticated attackers, with contributor level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

Published: 2026-01-07

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Flashcard plugin for WordPress is vulnerable to a path traversal flaw that is exploitable through the 'source' attribute of its shortcode. When an authenticated user with contributor or higher privileges supplies a crafted value containing directory traversal sequences, the plugin interprets it as a file path and returns the contents of that file to the browser. This allows the attacker to read any readable file on the server, potentially exposing database credentials, configuration files, or other sensitive information. The weakness is a classic path traversal issue (CWE‑22).

Affected Systems

All installations of the Flashcard plugin for WordPress with a version number 0.9 or lower are vulnerable. No specific third‑party patches or version numbers that remove the flaw are listed in the available CNA data.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.5, indicating a moderate impact. EPSS is reported to be less than 1%, implying a low probability of exploitation in the wild. It is not listed in CISA’s KEV catalog. The likely attack vector requires authentication; an attacker must be granted at least contributor access to the site and then can inject a malicious value into the shortcode. Once exploited, the attacker can read arbitrary files, which may compromise confidentiality and potentially integrity if the attacker can modify the view or metrics derived from those files.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

liangshao

Flashcard Plugin for WordPress

unaffected

Version	Status	Constraints
`0`	affected	≤ 0.9

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Flashcard plugin to a fixed version—if no newer release is available, disable the plugin altogether.
Restrict contributor and other non‑admin roles from using the flashcard shortcode with the source attribute, or audit role permissions to ensure that users without read‑file privileges cannot supply this parameter.
Monitor web‑server logs for repeated attempts to use the flashcard shortcode with path traversal patterns and block or alert on suspicious requests.

Generated by OpenCVE AI on April 20, 2026 at 21:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00066.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/flashcard/tags/0.9/flashcard.php?marks=73,109#L73
https://www.wordfence.com/threat-intel/vulnerabilities/id/f4fcc6e5-1f90-41e7-8d5a-2bfe8cbf46fa?source=cve

History

Thu, 08 Jan 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress
Vendors & Products		Wordpress Wordpress wordpress

Wed, 07 Jan 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 07 Jan 2026 06:45:00 +0000

Type	Values Removed	Values Added
Description		The Flashcard plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.9 via the 'source' attribute of the 'flashcard' shortcode. This makes it possible for authenticated attackers, with contributor level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Title		Flashcard Plugin for WordPress <= 0.9 - Authenticated (Contributor+) Arbitrary File Read via Path Traversal
Weaknesses		CWE-22
References		https://plugins.trac.wordpress.org/browser/flashcard/tags/0.9/flashcard.php?marks=73,109#L73 https://www.wordfence.com/threat-intel/vulnerabilities/id/f4fcc6e5-1f90-41e7-8d5a-2bfe8cbf46fa?source=cve
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-01-07T06:36:04.362Z

Updated: 2026-04-08T17:33:15.097Z

Reserved: 2025-12-18T02:45:09.366Z

Link: CVE-2025-14867

Vulnrichment

Updated: 2026-01-07T14:51:16.747Z

NVD

Status : Deferred

Published: 2026-01-07T12:16:57.177

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14867

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T21:30:18Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object