Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vlad.olaru Fonto fonto allows Path Traversal.This issue affects Fonto: from n/a through <= 1.2.2.
Published: 2025-04-03
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Fonto WordPress plugin contains a path‑traversal flaw (CWE‑22) that permits an attacker to request arbitrary files from the server through the plugin’s download endpoint. The flaw allows the download of any file readable by the web server process, which can expose sensitive data such as configuration files or credentials. Based on the described capability of downloading arbitrary files, it is inferred that an attacker could read files that contain credential or proprietary information, but the CVE itself does not explicitly state the specific data exposed.

Affected Systems

The issue exists in the WordPress plugin Fonto, developed by vlad.olaru, and affects all releases up to and including version 1.2.2. Any WordPress site running a vulnerable version of this plugin is potentially exposed.

Risk and Exploitability

The CVSS score of 4.9 categorises the vulnerability as moderate. The EPSS score of less than 1 % indicates a very low current exploitation probability, and the flaw is not listed in the CISA KEV catalog, suggesting no confirmed public exploits. Attackers can exploit the plugin by sending a crafted request to its download endpoint without authentication, although this is inferred from the functionality described and not explicitly stated in the CVE. The impact is limited to files readable by the web server process, yet the exposure of critical data remains a real threat.

Generated by OpenCVE AI on May 2, 2026 at 02:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Fonto plugin to a version newer than 1.2.2 if an update is available.
  • Restrict access to the plugin’s download endpoint to authenticated users only, preventing unauthenticated file downloads.
  • Enforce strict directory permissions on the server to limit the web server’s read access to sensitive files that could be accessed via path traversal.
  • If an update is not available, consider disabling or uninstalling the plugin to eliminate the risk.

Generated by OpenCVE AI on May 2, 2026 at 02:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-14735 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vlad.olaru Fonto allows Path Traversal. This issue affects Fonto: from n/a through 1.2.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vlad.olaru Fonto allows Path Traversal. This issue affects Fonto: from n/a through 1.2.2. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vlad.olaru Fonto fonto allows Path Traversal.This issue affects Fonto: from n/a through <= 1.2.2.
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Thu, 03 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 03 Apr 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vlad.olaru Fonto allows Path Traversal. This issue affects Fonto: from n/a through 1.2.2.
Title WordPress Fonto plugin <= 1.2.2 - Arbitrary File Download vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:13.913Z

Reserved: 2025-04-01T13:20:32.606Z

Link: CVE-2025-31827

cve-icon Vulnrichment

Updated: 2025-04-03T18:57:33.010Z

cve-icon NVD

Status : Deferred

Published: 2025-04-03T14:15:40.360

Modified: 2026-04-23T15:28:22.237

Link: CVE-2025-31827

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T02:45:32Z

Weaknesses