CVE-2025-14059
📋 TL;DR
The EmailKit WordPress plugin up to version 1.6.1 contains a path traversal vulnerability that allows authenticated attackers with Author permissions or higher to read arbitrary files on the server. This occurs because user input is passed directly to file_get_contents() without proper validation in the create_template REST API endpoint. Attackers can exfiltrate sensitive files like wp-config.php through MetForm's email confirmation feature.
💻 Affected Systems
- EmailKit WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to database credentials, encryption keys, and server configuration files, leading to complete site compromise, data theft, and potential lateral movement to other systems.
Likely Case
Attackers read wp-config.php to obtain database credentials, then access and exfiltrate sensitive user data, modify site content, or install backdoors.
If Mitigated
With proper access controls and file permissions, attackers can only read publicly accessible files, limiting damage to non-sensitive information.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward using REST API calls. Public proof-of-concept code is available in vulnerability reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.6.2 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find EmailKit plugin and click 'Update Now' if available. 4. If automatic update not available, download version 1.6.2+ from WordPress.org and manually replace plugin files.
🔧 Temporary Workarounds
Disable REST API endpoint
allRemove or restrict access to the vulnerable create_template REST API endpoint
Add to theme's functions.php: remove_action('rest_api_init', 'emailkit_register_rest_routes');
Restrict user permissions
allTemporarily reduce Author-level user permissions or remove unnecessary Author accounts
🧯 If You Can't Patch
- Disable the EmailKit plugin completely until patched
- Implement web application firewall rules to block requests containing path traversal sequences like '../' or absolute paths
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for EmailKit version. If version is 1.6.1 or lower, the site is vulnerable.Check Version:
wp plugin list --name=emailkit --field=version (if WP-CLI installed)Verify Fix Applied:
Verify EmailKit plugin version is 1.6.2 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- REST API requests to /wp-json/emailkit/v1/create_template with path traversal sequences
- Multiple file read attempts from unusual user accounts
- POST requests containing '../../' or absolute file paths
Network Indicators:
- Unusual outbound email traffic from MetForm containing file contents
- REST API calls from Author-level users reading non-template files
SIEM Query:
source="wordpress.log" AND "emailkit/v1/create_template" AND ("../" OR "/etc/" OR "wp-config")🔗 References
- https://plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/Api/CheckForm.php#L163
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3419280%40emailkit%2Ftrunk&old=3373383%40emailkit%2Ftrunk&sfp_email=&sfph_mail=#file1
- https://www.wordfence.com/threat-intel/vulnerabilities/id/91ebe8cb-99ec-4380-a77e-17e17144a17e?source=cve
