Description
Relative Path Traversal vulnerability in Shah Alom Delete Comments By Status delete-comments-by-status allows Path Traversal.This issue affects Delete Comments By Status: from n/a through <= 2.1.1.
Published: 2025-03-03
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to exploit a relative path traversal flaw in the Delete Comments By Status plugin, enabling them to read arbitrary files on the WordPress server. This can lead to a confidentiality breach if sensitive files such as configuration or credential files are accessed. The weakness is classic path traversal (CWE-23) and poses a high potential impact if exploited.

Affected Systems

Shah Alom Delete Comments By Status is a WordPress plugin that is vulnerable in all versions from the initial release up to and including 2.1.1. Sites running any of these versions are affected if the plugin remains activated.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% indicates a low probability of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog. Exploitation can typically be achieved by sending a crafted request to the plugin’s file inclusion endpoint that contains a relative path designed to traverse directories and access sensitive files. Since the flaw is only LFI, further attack steps would depend on the attacker’s ability to read or exploit server files, potentially escalating privileges if critical files are read.

Generated by OpenCVE AI on May 1, 2026 at 14:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch for Delete Comments By Status (any release newer than 2.1.1) to eliminate the path traversal flaw.
  • If an update is not immediately available, disable or uninstall the plugin so that the vulnerable code paths are no longer reachable.
  • Configure the web server to block requests containing "../" sequences or use a web application firewall rule that detects and rejects relative path traversal attempts targeting the plugin.

Generated by OpenCVE AI on May 1, 2026 at 14:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5629 Relative Path Traversal vulnerability in NotFound Delete Comments By Status allows PHP Local File Inclusion. This issue affects Delete Comments By Status: from n/a through 2.1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Relative Path Traversal vulnerability in NotFound Delete Comments By Status allows PHP Local File Inclusion. This issue affects Delete Comments By Status: from n/a through 2.1.1. Relative Path Traversal vulnerability in Shah Alom Delete Comments By Status delete-comments-by-status allows Path Traversal.This issue affects Delete Comments By Status: from n/a through <= 2.1.1.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 03 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description Relative Path Traversal vulnerability in NotFound Delete Comments By Status allows PHP Local File Inclusion. This issue affects Delete Comments By Status: from n/a through 2.1.1.
Title WordPress Delete Comments By Status plugin <= 1.5.3 - Local File Inclusion vulnerability
Weaknesses CWE-23
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:36.099Z

Reserved: 2025-02-03T13:34:59.204Z

Link: CVE-2025-25130

cve-icon Vulnrichment

Updated: 2025-03-03T17:00:56.638Z

cve-icon NVD

Status : Deferred

Published: 2025-03-03T14:15:52.613

Modified: 2026-04-23T15:25:39.963

Link: CVE-2025-25130

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T14:30:06Z

Weaknesses