CVE-2025-6379
📋 TL;DR
The BeeTeam368 Extensions Pro WordPress plugin contains a directory traversal vulnerability that allows authenticated attackers with Subscriber-level access or higher to access and delete files outside intended directories. This specifically enables deletion of wp-config.php, which can lead to complete site takeover. All WordPress sites using this plugin up to version 2.3.4 are affected.
💻 Affected Systems
- BeeTeam368 Extensions Pro WordPress Plugin
📦 What is this software?
Vidmov by Beeteam368
⚠️ Risk & Real-World Impact
Worst Case
Complete WordPress site takeover through wp-config.php deletion, allowing attacker to reset admin credentials and gain full control of the website.
Likely Case
Unauthorized file deletion leading to site disruption, data loss, or privilege escalation through configuration file manipulation.
If Mitigated
Limited impact if proper file permissions and access controls prevent successful exploitation, though vulnerability still exists.
🎯 Exploit Status
Exploitation requires authenticated access but only Subscriber-level privileges, which are commonly available. Directory traversal to delete wp-config.php is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 2.3.4
Vendor Advisory: https://themeforest.net/item/vidmov-video-wordpress-theme/35542187
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find BeeTeam368 Extensions Pro. 4. Update to latest version (above 2.3.4). 5. Verify update completed successfully.
🔧 Temporary Workarounds
Disable or Remove Plugin
allTemporarily disable or completely remove the vulnerable plugin until patched version is available.
wp plugin deactivate beeteam368-extensions-pro
wp plugin delete beeteam368-extensions-pro
Restrict User Registration
allTemporarily disable new user registration to prevent attackers from obtaining Subscriber accounts.
wp option update users_can_register 0
🧯 If You Can't Patch
- Implement strict file permissions on wp-config.php (read-only for web server)
- Monitor and audit file deletion attempts, particularly targeting wp-config.php
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > BeeTeam368 Extensions Pro version. If version is 2.3.4 or lower, system is vulnerable.Check Version:
wp plugin get beeteam368-extensions-pro --field=versionVerify Fix Applied:
After update, verify plugin version is above 2.3.4 in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- File deletion attempts on wp-config.php
- Unauthorized directory traversal attempts in web server logs
- Multiple failed authentication attempts followed by successful Subscriber login
Network Indicators:
- POST requests to plugin endpoints with directory traversal patterns
- Unusual file deletion requests from authenticated users
SIEM Query:
source="web_server" AND (uri_path="*beeteam368*" AND (param="*../*" OR action="*delete*"))