Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Dmitry V. (CEO of "UKR Solution") Barcode Scanner with Inventory & Order Manager barcode-scanner-lite-pos-to-manage-products-inventory-and-orders allows Path Traversal.This issue affects Barcode Scanner with Inventory & Order Manager: from n/a through <= 1.9.0.
Published: 2025-08-14
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper limitation of pathname to a restricted directory vulnerability enables an attacker to request arbitrary files from the WordPress server through the Barcode Scanner with Inventory & Order Manager plugin. By manipulating file request parameters, the attacker can download files that should not be publicly accessible, potentially exposing sensitive configuration files, credentials, or other confidential data. This direct path traversal flaw can lead to confidentiality breaches.

Affected Systems

The vulnerability affects all instances of the Barcode Scanner with Inventory & Order Manager plugin distributed by Dmitry V. (CEO of "UKR Solution") with versions from n/a through 1.9.0. Users deploying the plugin at or below this release threshold are at risk.

Risk and Exploitability

The CVSS base score of 4.9 reflects a moderate severity, and the EPSS score of less than 1% indicates a low likelihood of exploitation as of the latest data. The issue is not currently listed in CISA’s KEV catalog, suggesting no known mass exploitation. Based on the description, the likely attack vector is remote via a web request to the plugin’s file download endpoint, allowing unauthenticated or role‑limited users to craft requests that traverse directory boundaries. The exploit requires minimal user interaction or advanced privileges, but since the plugin operates within the WordPress web interface, the attacker could execute the request from a remote location.

Generated by OpenCVE AI on April 30, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Barcode Scanner with Inventory & Order Manager plugin to a version newer than 1.9.0 to eliminate the path traversal flaw.
  • If an upgrade is not immediately possible, disable or remove any functionality that accepts user‑supplied file paths, or restrict access to the download endpoint to authenticated users with appropriate capabilities.
  • Implement server‑side input validation: explicitly whitelist allowed directories, strip dot‑dot sequences, and enforce absolute path restrictions to ensure that requested files remain within the expected upload or resource directories.

Generated by OpenCVE AI on April 30, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24908 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Dmitry V. (CEO of "UKR Solution") Barcode Scanner with Inventory & Order Manager allows Path Traversal. This issue affects Barcode Scanner with Inventory & Order Manager: from n/a through 1.9.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Dmitry V. (CEO of "UKR Solution") Barcode Scanner with Inventory & Order Manager allows Path Traversal. This issue affects Barcode Scanner with Inventory & Order Manager: from n/a through 1.9.0. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Dmitry V. (CEO of "UKR Solution") Barcode Scanner with Inventory & Order Manager barcode-scanner-lite-pos-to-manage-products-inventory-and-orders allows Path Traversal.This issue affects Barcode Scanner with Inventory & Order Manager: from n/a through <= 1.9.0.
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Sat, 16 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Dmitry V. (CEO of "UKR Solution") Barcode Scanner with Inventory & Order Manager allows Path Traversal. This issue affects Barcode Scanner with Inventory & Order Manager: from n/a through 1.9.0.
Title WordPress Barcode Scanner with Inventory & Order Manager Plugin <= 1.9.0 - Arbitrary File Download Vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:35.887Z

Reserved: 2025-07-28T10:56:17.343Z

Link: CVE-2025-54715

cve-icon Vulnrichment

Updated: 2025-08-14T19:30:07.849Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T19:15:37.787

Modified: 2026-04-23T15:32:52.740

Link: CVE-2025-54715

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T03:30:27Z

Weaknesses