Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ypromo PT Luxa Addons pt-luxa-addons allows Path Traversal.This issue affects PT Luxa Addons: from n/a through <= 1.2.2.
Published: 2025-10-22
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path traversal flaw in the ypromo PT Luxa Addons WordPress plugin lets an attacker craft a file path that the plugin passes to the operating system without proper sanitization. Because the plugin does not enforce a restricted directory, the attacker can delete any file that the web server can reach, potentially removing content, configuration files or even core WordPress files. The impact is loss of data and disruption of site functionality, which falls under CWE-22: Improper Limitation of a Pathname to a Restricted Directory.

Affected Systems

WordPress sites that have the PT Luxa Addons plugin version 1.2.2 or earlier installed are vulnerable. The plugin is distributed by ypromo and can appear in any WordPress installation that has not updated past the stated version.

Risk and Exploitability

The CVSS score of 7.7 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, and no public exploits are known. The likely attack vector is a crafted HTTP request to the plugin's file deletion endpoint, which may not require authentication if the endpoint is exposed or may be accessible to users with sufficient privileges.

Generated by OpenCVE AI on April 29, 2026 at 23:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the PT Luxa Addons plugin to a version newer than 1.2.2 if one is available from the vendor or the WordPress plugin repository.
  • Reconfigure the plugin to restrict file deletion to a dedicated safe directory and ensure all file path inputs are validated and normalized before use.
  • If immediate update or reconfiguration is not possible, block access to the plugin’s file deletion endpoint using a web‑application firewall rule or by adjusting the server’s URL rewrite rules to prevent arbitrary path exposure.

Generated by OpenCVE AI on April 29, 2026 at 23:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N'}

 cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

 cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N'}

Thu, 23 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ypromo PT Luxa Addons pt-luxa-addons allows Path Traversal.This issue affects PT Luxa Addons: from n/a through <= 1.2.2.
Title WordPress PT Luxa Addons Plugin <= 1.2.2 - Arbitrary File Deletion Vulnerability
Weaknesses CWE-22
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:57.867Z

Reserved: 2025-09-25T15:34:23.206Z

Link: CVE-2025-60217

cve-icon Vulnrichment

Updated: 2025-10-22T20:35:18.089Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:58.967

Modified: 2026-04-27T16:16:33.740

Link: CVE-2025-60217

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T23:45:16Z

Weaknesses