Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AmentoTech Taskbot taskbot allows Path Traversal.This issue affects Taskbot: from n/a through <= 6.4.
Published: 2025-10-22
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a Path Traversal weakness that allows an attacker to delete arbitrary files from the server. This can destroy critical system files, configuration archives, or website content, effectively disabling the site or compromising data integrity. The vulnerability is identified as CWE‑22 and is documented as a high‑severity issue with a CVSS score of 7.7.

Affected Systems

The vulnerability affects AmentoTech’s Taskbot WordPress plugin for all releases up to and including version 6.4. No specific sub‑version information is provided beyond the upper bound of 6.4.

Risk and Exploitability

With a CVSS high score of 7.7 and an extremely low EPSS probability (< 1 %), the likelihood of exploitation is quite small at present, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the plugin is web‑exposed and likely reachable by an attacker with internet access, so remote exploitation is inferred as the primary attack vector. As the flaw permits direct file deletion, a successful attack would immediately disrupt the affected WordPress site.

Generated by OpenCVE AI on April 30, 2026 at 05:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Taskbot plugin to a version newer than 6.4; if a later version is not available, migrate to an alternative task scheduler plugin.
  • If the plugin is not essential, disable or delete it from the WordPress installation.
  • Apply file‑system permissions and access controls that prevent the web process from modifying arbitrary files, especially the directories that Taskbot can access, as a temporary safeguard.

Generated by OpenCVE AI on April 30, 2026 at 05:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

 cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

Thu, 23 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AmentoTech Taskbot taskbot allows Path Traversal.This issue affects Taskbot: from n/a through <= 6.4.
Title WordPress Taskbot plugin <= 6.4 - Arbitrary File Deletion vulnerability
Weaknesses CWE-22
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:50.400Z

Reserved: 2025-09-06T04:45:02.778Z

Link: CVE-2025-58959

cve-icon Vulnrichment

Updated: 2025-10-23T13:44:05.419Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:52.543

Modified: 2026-04-27T20:16:22.700

Link: CVE-2025-58959

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T05:45:16Z

Weaknesses