Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in aytechnet DyaPress ERP/CRM dyapress allows PHP Local File Inclusion.This issue affects DyaPress ERP/CRM: from n/a through <= 18.0.2.0.
Published: 2025-04-10
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Path Traversal flaw (CWE-22) in the aytechnet DyaPress ERP/CRM WordPress plugin that permits PHP Local File Inclusion. The flaw allows an attacker to supply an arbitrary file path to the plugin’s include mechanism, potentially reading sensitive files or executing server‑side PHP code. The impact is therefore confidentiality and integrity compromise, and in suitable cases code execution on the web server.

Affected Systems

The affected product is the aytechnet DyaPress ERP/CRM plugin for WordPress, versions through 18.0.2.0. Users who have installed any release from the earliest available version up to the 18.0.2.0 release are vulnerable. The plugin is part of the WordPress ecosystem, so the attack surface exists on any WordPress installation that has this plugin enabled.

Risk and Exploitability

The CVSS score of 8.1 reflects a high severity exploitation outcome. The EPSS score of '< 1%' indicates a low probability of exploitation as of this analysis. The vulnerability is not catalogued in CISA KEV. While the description does not state authentication requirements, it is inferred that a request to the plugin with a crafted file parameter can be made by an external user, so the attack vector is remote and likely unauthenticated. An attacker who can successfully trigger the path traversal could read arbitrary files or execute code on the host, depending on file write permissions. The likely attack vector is a web request containing a malicious file path targeting the plugin’s include logic.

Generated by OpenCVE AI on May 1, 2026 at 10:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the DyaPress ERP/CRM plugin to a version newer than 18.0.2.0.
  • If an upgrade cannot be performed immediately, uninstall or disable the vulnerable plugin to remove the attack surface.
  • As a temporary measure, configure a web application firewall or the server’s .htaccess to block requests that contain ‘..’ or other traversal patterns targeting the plugin’s file parameter.

Generated by OpenCVE AI on May 1, 2026 at 10:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10472 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in aytechnet DyaPress ERP/CRM allows PHP Local File Inclusion. This issue affects DyaPress ERP/CRM: from n/a through 18.0.2.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in aytechnet DyaPress ERP/CRM allows PHP Local File Inclusion. This issue affects DyaPress ERP/CRM: from n/a through 18.0.2.0. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in aytechnet DyaPress ERP/CRM dyapress allows PHP Local File Inclusion.This issue affects DyaPress ERP/CRM: from n/a through <= 18.0.2.0.
Title WordPress DyaPress ERP/CRM <= 18.0.2.0 - Local File Inclusion Vulnerability WordPress DyaPress ERP/CRM plugin <= 18.0.2.0 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 10 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 10 Apr 2025 08:15:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in aytechnet DyaPress ERP/CRM allows PHP Local File Inclusion. This issue affects DyaPress ERP/CRM: from n/a through 18.0.2.0.
Title WordPress DyaPress ERP/CRM <= 18.0.2.0 - Local File Inclusion Vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:54.654Z

Reserved: 2025-03-24T13:00:24.105Z

Link: CVE-2025-30582

cve-icon Vulnrichment

Updated: 2025-04-10T13:16:05.305Z

cve-icon NVD

Status : Deferred

Published: 2025-04-10T08:15:14.983

Modified: 2026-04-23T15:26:54.557

Link: CVE-2025-30582

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T10:45:05Z

Weaknesses