Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in neoslab Database Toolset database-toolset allows Path Traversal.This issue affects Database Toolset: from n/a through <= 1.8.4.
Published: 2025-04-11
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Database Toolset plugin allows an attacker to traverse directory boundaries and delete files outside the expected upload area. This path traversal flaw can result in the removal of critical configuration files, website assets, or other data causing significant damage to confidentiality and availability. The weakness is identified as CWE-22 and is rated with a CVSS score of 8.6.

Affected Systems

The affected product is the WordPress Database Toolset plugin developed by neoslab. Any WordPress installation running Database Toolset version 1.8.4 or earlier is vulnerable. The version range is described as "from n/a through <= 1.8.4" indicating that all releases up to this point are impacted.

Risk and Exploitability

The EPSS score of less than 1 % suggests that exploitation attempts are expected to be infrequent, yet the high CVSS indicates that the impact of successful exploitation is severe. The vulnerability is not registered in the CISA KEV catalog. Exploitation would most likely occur via a remote HTTP request to the plugin’s interface or REST endpoint, allowing an attacker to supply a crafted file path; therefore, authenticated or unauthenticated access to the vulnerable endpoint would enable deletion of arbitrary files on the host. Defense in depth demands that sites correct the flaw promptly.

Generated by OpenCVE AI on May 1, 2026 at 10:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Database Toolset to the latest version that removes the path traversal vulnerability
  • Restrict plugin access to authenticated users only, ensuring that only privileged accounts can use file deletion features
  • Remove write permissions from directories that the plugin can target to eliminate potential file deletion

Generated by OpenCVE AI on May 1, 2026 at 10:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10755 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in neoslab Database Toolset allows Path Traversal. This issue affects Database Toolset: from n/a through 1.8.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in neoslab Database Toolset allows Path Traversal. This issue affects Database Toolset: from n/a through 1.8.4. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in neoslab Database Toolset database-toolset allows Path Traversal.This issue affects Database Toolset: from n/a through <= 1.8.4.
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

Fri, 11 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 11 Apr 2025 09:00:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in neoslab Database Toolset allows Path Traversal. This issue affects Database Toolset: from n/a through 1.8.4.
Title WordPress Database Toolset Plugin <= 1.8.4 - Arbitrary File Deletion vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:25.806Z

Reserved: 2025-04-09T11:20:51.368Z

Link: CVE-2025-32633

cve-icon Vulnrichment

Updated: 2025-04-11T13:32:51.600Z

cve-icon NVD

Status : Deferred

Published: 2025-04-11T09:15:34.130

Modified: 2026-06-17T09:12:20.027

Link: CVE-2025-32633

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T10:30:15Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')