Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WPMinds Simple WP Events simple-wp-events allows Path Traversal.This issue affects Simple WP Events: from n/a through <= 1.8.17.
Published: 2025-04-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Simple WP Events plugin contains a Path Traversal weakness that enables an attacker to delete any file on the WordPress server. Based on the description, it is inferred that an attacker can supply malicious input that resolves to an absolute filesystem path, allowing a remote user to remove critical configuration files or content, resulting in site compromise or data loss. The flaw is identified as CWE‑22 and can lead to destructive denial of service.

Affected Systems

This issue affects the WordPress Simple WP Events plugin from WPMinds, specifically all releases up to and including version 1.8.17. Any WordPress installation that has this plugin installed and exposed to the web is impacted. The vendor product is identified as WPMinds:Simple WP Events.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5, indicating a high severity. The EPSS score of less than 1% suggests that automated exploitation is currently rare, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the flaw can be triggered via a crafted HTTP request, allowing remote exploitation. Based on the description, it is inferred that an attacker with network access to the WordPress site could use the path traversal to delete arbitrary files and potentially disrupt service or cause further compromise.

Generated by OpenCVE AI on May 1, 2026 at 10:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Simple WP Events plugin to the latest available version (1.8.18 or newer) to remove the path traversal flaw.
  • If an upgrade cannot be performed immediately, uninstall the Simple WP Events plugin from the WordPress installation to eliminate the attack surface.
  • Configuring strict file system permissions so that the web server only has write access to directories it must modify.
  • Monitoring web server logs for abnormal delete requests or error messages that indicate attempted path traversal.

Generated by OpenCVE AI on May 1, 2026 at 10:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10784 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WPMinds Simple WP Events allows Path Traversal. This issue affects Simple WP Events: from n/a through 1.8.17.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WPMinds Simple WP Events allows Path Traversal. This issue affects Simple WP Events: from n/a through 1.8.17. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WPMinds Simple WP Events simple-wp-events allows Path Traversal.This issue affects Simple WP Events: from n/a through <= 1.8.17.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Fri, 11 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 11 Apr 2025 09:00:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WPMinds Simple WP Events allows Path Traversal. This issue affects Simple WP Events: from n/a through 1.8.17.
Title WordPress Simple WP Events plugin <= 1.8.17 - Arbitrary File Deletion vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:23.295Z

Reserved: 2025-04-09T11:19:28.417Z

Link: CVE-2025-32509

cve-icon Vulnrichment

Updated: 2025-04-11T13:50:22.796Z

cve-icon NVD

Status : Deferred

Published: 2025-04-11T09:15:23.310

Modified: 2026-04-23T15:29:00.780

Link: CVE-2025-32509

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T10:45:05Z

Weaknesses