Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gioni Plugin Inspector plugin-inspector allows Path Traversal.This issue affects Plugin Inspector: from n/a through <= 1.5.
Published: 2025-06-27
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Plugin Inspector plugin contains a path traversal vulnerability that allows attackers to download arbitrary files from the server. This flaw permits confidential files such as wp-config.php and database credentials to be retrieved via the plugin’s download endpoint. The vulnerability is classified as CWE-22 and has a CVSS score of 4.9, indicating moderate impact on confidentiality.

Affected Systems

The flaw affects installations of gioni’s Plugin Inspector plugin version 1.5 and earlier. All users who have not upgraded past version 1.5 are potentially vulnerable. No other vendors or products are listed in the CNA data.

Risk and Exploitability

The CVSS score of 4.9 indicates a moderate risk, while the EPSS score of less than 1% suggests very low likelihood of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog, so no known active exploitation campaigns are reported. The most likely attack vector is via a remote request to the plugin’s file download endpoint, though this is inferred from the description as the precise attack path is not detailed.

Generated by OpenCVE AI on April 30, 2026 at 10:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Plugin Inspector release (any version newer than 1.5) when it becomes available.
  • If an upgrade is not possible, completely delete or deactivate the Plugin Inspector plugin to eliminate the vulnerability.
  • Implement server‑side checks or .htaccess rules that block URLs containing path‑traversal patterns such as '../' to provide an additional safeguard.

Generated by OpenCVE AI on April 30, 2026 at 10:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19364 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gioni Plugin Inspector allows Path Traversal. This issue affects Plugin Inspector: from n/a through 1.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gioni Plugin Inspector allows Path Traversal. This issue affects Plugin Inspector: from n/a through 1.5. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gioni Plugin Inspector plugin-inspector allows Path Traversal.This issue affects Plugin Inspector: from n/a through <= 1.5.
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Fri, 27 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Jun 2025 13:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gioni Plugin Inspector allows Path Traversal. This issue affects Plugin Inspector: from n/a through 1.5.
Title WordPress Plugin Inspector plugin <= 1.5 - Arbitrary File Download Vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:23.093Z

Reserved: 2025-06-27T11:58:59.925Z

Link: CVE-2025-53298

cve-icon Vulnrichment

Updated: 2025-06-27T13:47:26.597Z

cve-icon NVD

Status : Deferred

Published: 2025-06-27T14:15:51.697

Modified: 2026-04-23T15:32:26.870

Link: CVE-2025-53298

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T10:15:34Z

Weaknesses