Description
Path Traversal: '.../...//' vulnerability in AA-Team Pro Bulk Watermark Plugin for WordPress pro-watermark allows Path Traversal.This issue affects Pro Bulk Watermark Plugin for WordPress: from n/a through <= 2.0.
Published: 2025-12-31
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a path traversal flaw that allows an attacker to access files outside the intended directory through a malformed URL pattern. An adversary could read sensitive files, such as configuration files or database dumps, compromising confidentiality. This flaw does not directly expose execution privileges, but the stolen data could lead to further attacks.

Affected Systems

The flaw affects the AA‑Team Pro Bulk Watermark Plugin for WordPress versions from the initial release through 2.0. No specific patch level is listed for earlier versions; any installation of the plugin at or below 2.0 is impacted.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate risk, while the EPSS of less than 1% suggests low exploitation probability, and the flaw is not currently listed in the CISA KEV catalog. Attackers likely exploit the weakness via unauthenticated web requests that trigger the plugin’s file handling code, and the traversal can be achieved without additional privileges.

Generated by OpenCVE AI on May 1, 2026 at 06:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update AA‑Team Pro Bulk Watermark Plugin to the latest version that removes the path traversal flaw
  • If an immediate update cannot be performed, configure the web server to block '../' and similar patterns and ensure the plugin’s file paths are resolved securely
  • Limit file system permissions so that the web server process cannot read sensitive directories, and monitor logs for attempts to access disallowed files

Generated by OpenCVE AI on May 1, 2026 at 06:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Path Traversal: '.../...//' vulnerability in AA-Team Pro Bulk Watermark Plugin for WordPress allows Path Traversal.This issue affects Pro Bulk Watermark Plugin for WordPress: from n/a through 2.0. Path Traversal: '.../...//' vulnerability in AA-Team Pro Bulk Watermark Plugin for WordPress pro-watermark allows Path Traversal.This issue affects Pro Bulk Watermark Plugin for WordPress: from n/a through <= 2.0.
References

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Aa-team
Aa-team pro Bulk Watermark Plugin
Wordpress
Wordpress wordpress
Vendors & Products Aa-team
Aa-team pro Bulk Watermark Plugin
Wordpress
Wordpress wordpress

Fri, 02 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 31 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Description Path Traversal: '.../...//' vulnerability in AA-Team Pro Bulk Watermark Plugin for WordPress allows Path Traversal.This issue affects Pro Bulk Watermark Plugin for WordPress: from n/a through 2.0.
Title WordPress Pro Bulk Watermark Plugin for WordPress <= 2.0 - Path Traversal Vulnerability
Weaknesses CWE-35
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Aa-team Pro Bulk Watermark Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:51:54.747Z

Reserved: 2025-03-11T08:10:27.474Z

Link: CVE-2025-28973

cve-icon Vulnrichment

Updated: 2026-01-02T19:21:14.224Z

cve-icon NVD

Status : Deferred

Published: 2025-12-31T20:15:42.207

Modified: 2026-04-29T10:16:44.113

Link: CVE-2025-28973

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:00:13Z

Weaknesses