Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Robert Seyfriedsberger ionCube tester plus ioncube-tester-plus allows Path Traversal.This issue affects ionCube tester plus: from n/a through <= 1.3.
Published: 2026-03-05
Score: 7.5 High
EPSS: 6.8% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a Path Traversal flaw (CWE‑22) in the ionCube tester plus WordPress plugin. The CVE description states that the plugin improperly limits file pathnames to a restricted directory, allowing a path traversal vulnerability. Although the description does not explicitly say that the attacker can download arbitrary files, the plugin’s name and common usage imply that it serves downloadable content; therefore it is inferred that an attacker could exploit the path traversal to download any file from the server where the plugin is installed, potentially exposing confidential files.

Affected Systems

The affected product is the WordPress plugin ionCube tester plus authored by Robert Seyfriedsberger. All versions up to and including 1.3 are vulnerable; versions newer than 1.3 are presumed fixed or not affected. No further version granularity is given.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, primarily affecting confidentiality. The EPSS score of 7% suggests a moderate probability of exploitation. The vulnerability is not listed in CISA KEV. Remote attackers with access to the WordPress site or the plugin’s file download endpoint could potentially leverage path traversal to retrieve arbitrary files. Given the nature of the flaw, it may also serve as a foothold for subsequent attacks.

Generated by OpenCVE AI on May 22, 2026 at 15:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ionCube tester plus to the latest available release (any version newer than 1.3) where the path traversal issue has been resolved.
  • If an upgrade cannot be performed immediately, disable or uninstall the plugin to prevent exploitation.
  • Review file download handling in the plugin and enforce strict path validation against a whitelist of allowed directories, following CWE‑22 mitigation practices, until a patch is available.

Generated by OpenCVE AI on May 22, 2026 at 15:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Robert Seyfriedsberger
Robert Seyfriedsberger ioncube Tester Plus
Wordpress
Wordpress wordpress
Vendors & Products Robert Seyfriedsberger
Robert Seyfriedsberger ioncube Tester Plus
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Robert Seyfriedsberger ionCube tester plus ioncube-tester-plus allows Path Traversal.This issue affects ionCube tester plus: from n/a through <= 1.3.
Title WordPress ionCube tester plus plugin <= 1.3 - Arbitrary File Download vulnerability
Weaknesses CWE-22
References

Subscriptions

Robert Seyfriedsberger Ioncube Tester Plus
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T21:01:54.552Z

Reserved: 2025-12-31T20:13:23.068Z

Link: CVE-2025-69411

cve-icon Vulnrichment

Updated: 2026-03-05T15:01:07.080Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:12.960

Modified: 2026-04-22T21:26:58.303

Link: CVE-2025-69411

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T15:45:16Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')