Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in pitinca XLSXviewer xlsx-viewer allows Path Traversal.This issue affects XLSXviewer: from n/a through <= 2.1.1.
Published: 2025-01-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The XLSXviewer plugin for WordPress suffers from a Path Traversal flaw (CWE-22) that permits an attacker to delete arbitrary files on the server. By crafting a malicious request that manipulates the file path parameter, the plugin fails to restrict the pathname to a safe directory, leading to deletion of files within the WordPress file system. This can result in loss of website data, configuration files, or other critical assets, effectively compromising the integrity and availability of the site.

Affected Systems

The vulnerability affects the XLSXviewer plugin by pitinca, versions up to and including 2.1.1. Any WordPress installation that has this plugin installed and updated to 2.1.1 or earlier is susceptible. The issue is present from the initial release of the plugin through the stated maximum version.

Risk and Exploitability

The CVSS score of 7.5 indicates a high risk to confidentiality and integrity, while an EPSS score of less than 1% suggests a low likelihood of exploitation at present. The vulnerability is not listed in CISA KEV, implying no publicly documented active exploitation. The likely attack vector, inferred from the plugin's functionality, is through an exposed endpoint that accepts file path input, potentially reachable by unauthenticated users or users with plugin access. Given the severity and potential impact, administrators should treat this as a high-priority concern.

Generated by OpenCVE AI on May 1, 2026 at 19:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the XLSXviewer plugin to a version newer than 2.1.1 or apply any vendor‑supplied patch.
  • If an upgrade is not immediately available, remove or disable the XLSXviewer plugin until a secure version is released.
  • Limit file system permissions on the WordPress uploads and plugin directories and enforce strict path validation for any plugin inputs that handle file paths.

Generated by OpenCVE AI on May 1, 2026 at 19:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3250 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NotFound XLSXviewer allows Path Traversal. This issue affects XLSXviewer: from n/a through 2.1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NotFound XLSXviewer allows Path Traversal. This issue affects XLSXviewer: from n/a through 2.1.1. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in pitinca XLSXviewer xlsx-viewer allows Path Traversal.This issue affects XLSXviewer: from n/a through <= 2.1.1.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L'}

Wed, 22 Jan 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Jan 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NotFound XLSXviewer allows Path Traversal. This issue affects XLSXviewer: from n/a through 2.1.1.
Title WordPress XLSXviewer plugin <= 2.1.1 - Arbitrary File Deletion vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:13.269Z

Reserved: 2025-01-16T11:26:20.968Z

Link: CVE-2025-23562

cve-icon Vulnrichment

Updated: 2025-01-22T16:18:20.462Z

cve-icon NVD

Status : Deferred

Published: 2025-01-22T15:15:17.557

Modified: 2026-04-23T15:24:03.017

Link: CVE-2025-23562

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T20:00:13Z

Weaknesses