CVE-2025-39491 - Vulnerability Details

- WordPress WHMpress plugin <= 6.2-revision-9 - Local File Inclusion vulnerability

Description

Path Traversal vulnerability in WHMPress WHMpress allows Path Traversal. This issue affects WHMpress: from 6.2 through revision.

Published: 2025-05-16

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A Path Traversal flaw exists in the WHMPress WordPress plugin that allows attackers to influence file path parameters and read arbitrary files on the web server. This local file inclusion can expose sensitive configuration files or credentials, potentially enabling further compromise. The vulnerability is identified as CWE-35.

Affected Systems

The affected product is the WHMPress plugin. Versions from 6.2 through the revision-9 release are impacted. Any WordPress site running these plugin versions is susceptible.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity, yet the EPSS score is less than 1% and the issue is not listed in the CISA KEV database, suggesting low current exploitation probability. Attackers could likely trigger the flaw by crafting a request that includes traversal sequences such as "../../" in the plugin’s file parameter, assuming the plugin does not otherwise sanitize path inputs. Successful exploitation would grant read access to local files, potentially leading to theft of credentials or further exploitation of the webserver.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

WHMPress

WHMpress

unaffected

Version	Status	Constraints
`6.2`	affected	≤ revision

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the WHMPress plugin to the latest version that contains the fix for the path traversal issue
Ensure that the web server’s configuration restricts PHP and other interpreters from accessing protected directories such as wp-config.php and uploads
Apply a web application firewall rule that blocks or rate‑limits traversal sequences in URL parameters
Monitor access logs for patterns of traversal attempts and investigate any suspicious activity

Generated by OpenCVE AI on April 30, 2026 at 20:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-15492	Path Traversal vulnerability in WHMPress WHMpress allows Path Traversal. This issue affects WHMpress: from 6.2 through revision.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00393.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/wordpress/plugin/whmpress/vulnerability/wordpress-whmpress-plugin-6-2-revision-9-local-file-inclusion-vulnerability-2?_s_id=cve

History

Tue, 28 Apr 2026 19:45:00 +0000

Type	Values Removed	Values Added
References	https://patchstack.com/database/Wordpress/Plugin/whmpress/vulnerability/wordpress-whmpress-plugin-6-2-revision-9-local-file-inclusion-vulnerability-2?_s_id=cve

Tue, 28 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
Description	Path Traversal: '.../...//' vulnerability in WHMPress WHMpress whmpress allows Path Traversal.This issue affects WHMpress: from n/a through <= 6.2-revision-9.	Path Traversal vulnerability in WHMPress WHMpress allows Path Traversal. This issue affects WHMpress: from 6.2 through revision.
References		https://patchstack.com/database/wordpress/plugin/whmpress/vulnerability/wordpress-whmpress-plugin-6-2-revision-9-local-file-inclusion-vulnerability-2?_s_id=cve

Thu, 23 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
References	https://patchstack.com/database/wordpress/plugin/whmpress/vulnerability/wordpress-whmpress-plugin-6-2-revision-9-local-file-inclusion-vulnerability-2?_s_id=cve

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description	Path Traversal vulnerability in WHMPress WHMpress allows Path Traversal. This issue affects WHMpress: from 6.2 through revision.	Path Traversal: '.../...//' vulnerability in WHMPress WHMpress whmpress allows Path Traversal.This issue affects WHMpress: from n/a through <= 6.2-revision-9.
References		https://patchstack.com/database/Wordpress/Plugin/whmpress/vulnerability/wordpress-whmpress-plugin-6-2-revision-9-local-file-inclusion-vulnerability-2?_s_id=cve

Fri, 16 May 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 16 May 2025 16:00:00 +0000

Type	Values Removed	Values Added
Description		Path Traversal vulnerability in WHMPress WHMpress allows Path Traversal. This issue affects WHMpress: from 6.2 through revision.
Title		WordPress WHMpress plugin <= 6.2-revision-9 - Local File Inclusion vulnerability
Weaknesses		CWE-35
References		https://patchstack.com/database/wordpress/plugin/whmpress/vulnerability/wordpress-whmpress-plugin-6-2-revision-9-local-file-inclusion-vulnerability-2?_s_id=cve
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-05-16T15:45:26.153Z

Updated: 2026-04-28T16:12:32.640Z

Reserved: 2025-04-16T06:23:58.700Z

Link: CVE-2025-39491

Vulnrichment

Updated: 2025-05-16T16:20:04.794Z

NVD

Status : Deferred

Published: 2025-05-16T16:15:40.543

Modified: 2026-04-28T19:32:01.223

Link: CVE-2025-39491

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-30T20:15:16Z

Weaknesses

CWE-35

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object