Login Sign Up

CVE-2025-13725

6.5 MEDIUM
Path Traversal

📋 TL;DR

This vulnerability allows authenticated attackers with Contributor-level WordPress access to read arbitrary files on the server through the Gutenberg Thim Blocks plugin. Attackers can access sensitive files like wp-config.php containing database credentials and other configuration secrets. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:
  • Gutenberg Thim Blocks – Page Builder, Gutenberg Blocks for the Block Editor WordPress plugin
Versions: All versions up to and including 1.0.1
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user with Contributor role or higher. WordPress multisite installations are also affected.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise via database credential theft from wp-config.php, leading to site takeover, data exfiltration, or ransomware deployment.

🟠

Likely Case

Sensitive file disclosure including database credentials, API keys, and configuration files, potentially enabling further attacks.

🟢

If Mitigated

Limited impact if proper file permissions restrict access to sensitive files and database credentials are rotated regularly.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is straightforward via manipulation of the iconSVG parameter in the thim-blocks/icon block.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 1.0.1

Vendor Advisory: https://plugins.trac.wordpress.org/browser/thim-blocks

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Gutenberg Thim Blocks' and click 'Update Now'. 4. Verify update to version after 1.0.1. 5. Clear any caching plugins/CDN caches.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the Thim Blocks plugin until patched

wp plugin deactivate thim-blocks

Restrict user roles

all

Temporarily remove Contributor role access or restrict to trusted users only

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block requests containing path traversal patterns in iconSVG parameter
  • Monitor file access logs for unusual patterns and implement strict file permissions on sensitive files like wp-config.php

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for 'Gutenberg Thim Blocks' version 1.0.1 or earlier

Check Version:

wp plugin get thim-blocks --field=version

Verify Fix Applied:

Verify plugin version is greater than 1.0.1 and test icon block functionality

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to /wp-json/thim-blocks/v1/icon with suspicious iconSVG parameter values containing path traversal sequences (../, ..\)
  • File read attempts on sensitive paths in web server logs

Network Indicators:

  • POST requests to WordPress REST API endpoints with iconSVG parameter containing file paths

SIEM Query:

source="web_access_logs" AND uri="/wp-json/thim-blocks/v1/icon" AND (iconSVG="*../*" OR iconSVG="*..\\*")

📊 Metadata

CVE ID: CVE-2025-13725
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-22
EPSS Score: 0.06% exploit probability (19.9th percentile)
Published: January 17, 2026
Last Updated: January 26, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13725, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)