Description
The Propovoice: All-in-One Client Management System plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.7.6.7 via the send_email() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
Published: 2025-09-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Arbitrary File Read
Action: Patch
AI Analysis

Impact

The Propovoice All‑in‑One Client Management System plugin contains an arbitrary file read flaw in its send_email() function. This flaw arises from improper input validation and is classified as CWE‑73. An unauthenticated attacker can specify any file path when invoking the email API, allowing read access to arbitrary files on the server and potentially revealing sensitive data, thus compromising confidentiality of the entire WordPress site.

Affected Systems

The vulnerability impacts the fassionstorage Propovoice plugin for WordPress. All releases up to and including version 1.7.6.7 are affected. No information is available about versions beyond 1.7.6.7.

Risk and Exploitability

Based on the description, it is inferred that the attack vector is sending unauthenticated HTTP requests to the plugin’s email API endpoint. The CVSS score of 7.5 marks the issue as high severity. The EPSS score of less than 1% indicates a very low probability of exploitation in the wild at present, and the vulnerability is not listed in CISA’s KEV catalog. An attacker can exploit the flaw by sending unauthenticated HTTP requests to the plugin’s email API endpoint, gaining full read access to arbitrary files on the server.

Generated by OpenCVE AI on April 22, 2026 at 00:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Propovoice plugin to any version newer than 1.7.6.7 to remove the vulnerability.
  • If an immediate upgrade is not possible, temporarily disable the Propovoice plugin until the patch is applied.
  • Deploy a web application firewall or configure access‑control rules to block unauthenticated requests to the plugin’s email API endpoint.

Generated by OpenCVE AI on April 22, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27665 The Propovoice: All-in-One Client Management System plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.7.6.7 via the send_email() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Fri, 12 Sep 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Fassionstorage
Fassionstorage all-in-one Client Management System Plugin
Wordpress
Wordpress wordpress
Vendors & Products Fassionstorage
Fassionstorage all-in-one Client Management System Plugin
Wordpress
Wordpress wordpress

Thu, 11 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Sep 2025 07:30:00 +0000

Type Values Removed Values Added
Description The Propovoice: All-in-One Client Management System plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.7.6.7 via the send_email() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
Title Propovoice <= 1.7.6.7 - Unauthenticated Arbitrary File Read
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Fassionstorage All-in-one Client Management System Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:47:04.848Z

Reserved: 2025-07-31T15:00:11.187Z

Link: CVE-2025-8422

cve-icon Vulnrichment

Updated: 2025-09-11T14:06:34.807Z

cve-icon NVD

Status : Deferred

Published: 2025-09-11T08:15:33.883

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8422

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:00:04Z

Weaknesses