Description
The WPMasterToolKit (WPMTK) – All in one plugin plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.5.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to read and modify the contents of arbitrary files on the server, which can contain sensitive information.
Published: 2025-04-24
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read and Write
Action: Apply Patch
AI Analysis

Impact

The WPMasterToolKit All in one plugin suffers a directory traversal flaw that allows an authenticated user with Administrator or higher privileges to read any file on the server and to overwrite arbitrary files. This grants an attacker full confidentiality and integrity compromise, enabling extraction of credentials, configuration data, or execution of arbitrary code by modifying core files. The weakness is identified as CWE‑22.

Affected Systems

Affected systems are installations of the WPMMasterToolKit All in one plugin created by ludwigyou, in any version up to and including 2.5.2. No other products or versions are listed as impacted.

Risk and Exploitability

The plugin’s CVSS score of 7.2 categorizes the flaw as high severity, and the EPSS of 1% indicates a low but non-zero likelihood of exploitation under current conditions. It is not yet in the CISA KEV catalog. Since the vulnerability requires administrator-level authentication, the attacker must first gain legitimate access through WordPress credentials; once in, the flaw can be triggered via the plugin’s front‑end or back‑end interface, allowing file read and write operations without additional network vectors.

Generated by OpenCVE AI on April 20, 2026 at 23:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WPMasterToolKit plugin to the latest version (2.5.3 or later) which resolves the directory traversal flaw.
  • If an immediate upgrade is not possible, revoke or restrict administrator privileges for users who do not require them, and consider disabling the plugin’s file manipulation features in the permissions configuration.
  • Configure the web server to disallow read or write access to critical directories from the application context, effectively blocking the exploitation path until a patch is applied.

Generated by OpenCVE AI on April 20, 2026 at 23:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12127 The WPMasterToolKit (WPMTK) – All in one plugin plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.5.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to read and modify the contents of arbitrary files on the server, which can contain sensitive information.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Thu, 24 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 24 Apr 2025 08:45:00 +0000

Type Values Removed Values Added
Description The WPMasterToolKit (WPMTK) – All in one plugin plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.5.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to read and modify the contents of arbitrary files on the server, which can contain sensitive information.
Title WPMasterToolKit (WPMTK) – All in one plugin <= 2.5.2 - Authenticated (Administrator+) to Arbitrary File Read and Write
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:20:24.405Z

Reserved: 2025-04-04T19:18:20.231Z

Link: CVE-2025-3300

cve-icon Vulnrichment

Updated: 2025-04-24T13:52:12.133Z

cve-icon NVD

Status : Deferred

Published: 2025-04-24T09:15:31.203

Modified: 2026-06-17T09:19:36.140

Link: CVE-2025-3300

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:15:06Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')