CVE-2025-23422 – This path traversal vulnerability in the WordPr... (How to Fix)

📋 TL;DR

This path traversal vulnerability in the WordPress Store Locator plugin allows attackers to include arbitrary local PHP files through improper path validation. Attackers can potentially execute malicious code or access sensitive files on affected WordPress installations. All WordPress sites using vulnerable versions of the Store Locator plugin are affected.

💻 Affected Systems

Products:

WordPress Store Locator Plugin

Versions: All versions up to and including 3.98.10

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with vulnerable plugin version

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or website defacement

🟠

Likely Case

Unauthorized file access, sensitive information disclosure, or limited code execution

🟢

If Mitigated

Attack blocked at web application firewall level with no successful exploitation

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of path traversal techniques and WordPress file structure

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 3.98.10

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/store-locator/vulnerability/wordpress-store-locator-plugin-3-98-10-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins > Installed Plugins
3. Find Store Locator plugin
4. Click 'Update Now' if available
5. If no update available, deactivate and remove plugin

🔧 Temporary Workarounds

Web Application Firewall Rule

all

Block path traversal patterns in HTTP requests

WAF specific - configure to block requests containing '../', '..\\', or similar traversal patterns

Disable Plugin

WordPress

Temporarily disable the Store Locator plugin until patched

wp plugin deactivate store-locator

🧯 If You Can't Patch

Implement strict file permission controls on web server directories
Deploy web application firewall with path traversal protection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Store Locator version number

Check Version:

wp plugin get store-locator --field=version

Verify Fix Applied:

Verify plugin version is greater than 3.98.10

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing '../' patterns to plugin endpoints
Unusual file access attempts in web server logs

Network Indicators:

HTTP requests with path traversal sequences to /wp-content/plugins/store-locator/

SIEM Query:

web.url:*store-locator* AND (web.url:*..%2f* OR web.url:*..%5c*)

📊 Metadata

CVE ID: CVE-2025-23422

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-22

EPSS Score: 0.11% exploit probability (29.5th percentile)

Published: January 24, 2025

Last Updated: January 24, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/store-locator/vulnerability/wordpress-store-locator-plugin-3-98-10-local-file-inclusion-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-23422, you might also want to check these: