Vulnerability Description
The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in `getExtensionForURL()` which operates on URL-decoded paths, and `appendNormalized()` which strips everything after a null byte before constructing the filesystem path. This makes it possible for unauthenticated attackers to read arbitrary files from the webroot, including wp-config.php, by appending a double URL-encoded null byte (%2500) followed by an allowed extension (.txt) to the file path.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L95
- https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L95
- https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L96
- https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L96
- https://plugins.trac.wordpress.org/changeset/3418139
- https://www.wordfence.com/threat-intel/vulnerabilities/id/eec9bbc0-5a68-4624-a67
FAQ
What is CVE-2025-14388?
CVE-2025-14388 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the ext...
How severe is CVE-2025-14388?
CVE-2025-14388 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-14388?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.