Description
The Hot Random Image plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.9.2 via the 'path' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to access arbitrary images with allowed extensions, outside of the originally intended directory.
Published: 2025-05-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: path traversal grants authenticated contributors read access to arbitrary image files
Action: Patch
AI Analysis

Impact

Hot Random Image implements a path traversal flaw in the 'path' request parameter that lets authenticated users with Contributor or higher privileges read image files outside the plugin’s intended directory. This is a CWE‑22 vulnerability. The flaw restricts the file types to those that the plugin normally serves, so while it does not lead to arbitrary code execution, it exposes media content that may be sensitive.

Affected Systems

WordPress sites that have Hot Random Image installed and run any version equal to or older than 1.9.2 are affected. The plugin, distributed by hotwptemplates, resides in the WordPress plugins directory, so any site hosting the plugin and any user with Contributor or higher role can trigger the vulnerability.

Risk and Exploitability

The CVSS score of 4.3 classifies the vulnerability as moderate in severity. The EPSS score of less than 1 % indicates a very low current exploitation probability and the flaw is not listed in CISA’s KEV catalog. Because the flaw requires authenticated access, the likely attack vector is a compromised Contributor account or a user who gains such permissions. Successful exploitation would allow the attacker to read image files that lie outside the plugin directory, but would not enable broader system compromise.

Generated by OpenCVE AI on April 22, 2026 at 01:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Hot Random Image to the latest available release, which must be newer than 1.9.2 to remove the insecure 'path' handling.
  • If an immediate plugin update is not possible, block or restrict external access to the plugin’s upload directory or employ a code snippet that validates the 'path' parameter to limit it to the intended directory before it is processed.
  • Audit user roles and reduce or remove Contributor privileges from users who do not require content editing abilities.

Generated by OpenCVE AI on April 22, 2026 at 01:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16140 The Hot Random Image plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.9.2 via the 'path' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to access arbitrary images with allowed extensions, outside of the originally intended directory.
EUVD EUVD EUVD-2025-16141 The Hot Random Image plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.9.2 via the 'path' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to access arbitrary images with allowed extensions, outside of the originally intended directory.
History

Thu, 17 Jul 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Hot-themes
Hot-themes hot Random Image
CPEs cpe:2.3:a:hotjoomlatemplates:hot_random_image:*:*:*:*:*:wordpress:*:* cpe:2.3:a:hot-themes:hot_random_image:*:*:*:*:*:wordpress:*:*
Vendors & Products Hotjoomlatemplates
Hotjoomlatemplates hot Random Image
Hot-themes
Hot-themes hot Random Image

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00049}

 epss

{'score': 0.0005}

Fri, 11 Jul 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Hotjoomlatemplates
Hotjoomlatemplates hot Random Image
CPEs cpe:2.3:a:hotjoomlatemplates:hot_random_image:*:*:*:*:*:wordpress:*:*
Vendors & Products Hotjoomlatemplates
Hotjoomlatemplates hot Random Image

Thu, 22 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 22 May 2025 09:30:00 +0000

Type Values Removed Values Added
Description The Hot Random Image plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.9.2 via the 'path' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to access arbitrary images with allowed extensions, outside of the originally intended directory.
Title Hot Random Image <= 1.9.2 - Path Traversal to Authenticated (Contributor+) Limited Arbitrary Image Access via path Parameter
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Hot-themes Hot Random Image
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:26:20.718Z

Reserved: 2025-05-07T21:24:59.017Z

Link: CVE-2025-4419

cve-icon Vulnrichment

Updated: 2025-05-22T13:25:30.218Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-22T10:15:55.770

Modified: 2025-07-17T16:18:05.153

Link: CVE-2025-4419

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:45:05Z

Weaknesses