CVE-2025-25163 – This path traversal vulnerability in the WordPr... (How to Fix)

Q: What is the severity of CVE-2025-25163?

CVE-2025-25163 has a CVSS score of 7.5 (HIGH). This path traversal vulnerability in the WordPress Plugin A/B Image Optimizer allows attackers to download arbitrary files from the server by manipulating file paths. It affects all WordPress sites running the plugin from any version up to and including 3.3. Attackers can potentially access sensitive system files.

📋 TL;DR

This path traversal vulnerability in the WordPress Plugin A/B Image Optimizer allows attackers to download arbitrary files from the server by manipulating file paths. It affects all WordPress sites running the plugin from any version up to and including 3.3. Attackers can potentially access sensitive system files.

💻 Affected Systems

Products:

WordPress Plugin A/B Image Optimizer

Versions: All versions up to and including 3.3

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with vulnerable plugin versions are affected regardless of configuration.

📦 What is this software?

Plugin A\/b Image Optimizer by Pluginab

View all CVEs affecting Plugin A\/b Image Optimizer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through retrieval of configuration files, database credentials, or other sensitive data leading to further attacks.

🟠

Likely Case

Unauthorized access to sensitive files like wp-config.php, potentially exposing database credentials and site configuration.

🟢

If Mitigated

Limited impact if proper file permissions restrict access to sensitive directories and files.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing, making them directly accessible to attackers.

🏢 Internal Only: LOW - This is primarily an internet-facing WordPress plugin vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of path traversal techniques but no authentication is needed for vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 3.3

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/images-optimizer/vulnerability/wordpress-plugin-a-b-image-optimizer-plugin-3-3-arbitrary-file-download-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find 'Plugin A/B Image Optimizer'. 4. Click 'Update Now' if available. 5. If no update available, deactivate and remove the plugin immediately.

🔧 Temporary Workarounds

Disable vulnerable plugin

WordPress

Deactivate and remove the vulnerable plugin until patched version is available.

wp plugin deactivate plugin-a-b-image-optimizer
wp plugin delete plugin-a-b-image-optimizer

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block path traversal patterns
Restrict file permissions on sensitive directories and implement strict access controls

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins for 'Plugin A/B Image Optimizer' version 3.3 or earlier.

Check Version:

wp plugin get plugin-a-b-image-optimizer --field=version

Verify Fix Applied:

Verify plugin version is higher than 3.3 or plugin is completely removed from the system.

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in web server logs
Requests containing '../' sequences or unusual file extensions

Network Indicators:

HTTP requests with path traversal sequences targeting plugin endpoints

SIEM Query:

web_access_logs WHERE url CONTAINS '../' AND url CONTAINS 'plugin-a-b-image-optimizer'

📊 Metadata

CVE ID: CVE-2025-25163

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

EPSS Score: 17.53% exploit probability (94.9th percentile)

Published: February 7, 2025

Last Updated: February 11, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/images-optimizer/vulnerability/wordpress-plugin-a-b-image-optimizer-plugin-3-3-arbitrary-file-download-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-25163, you might also want to check these: