Path Traversal Vulnerability in Simple Download Counter Plugin for WordPress
CVE-2025-13677

4.9MEDIUM

Key Information:

Vendor: WordPress
Status: Simple Download Counter
Vendor: CVE Published:; 10 December 2025

What is CVE-2025-13677?

The Simple Download Counter plugin for WordPress is vulnerable to a Path Traversal issue due to inadequate path validation in the simple_download_counter_parse_path() function. This vulnerability allows authenticated attackers with Administrator privileges to access arbitrary files on the server, potentially exposing sensitive information such as database credentials found in the wp-config.php file or other critical system files. The vendor has made efforts to mitigate the risk by disabling remote file downloads from arbitrary locations on multi-site installations, and provided warnings for site owners in the readme.txt upon installation of the plugin. However, users are advised to exercise caution when using this plugin.

Affected Version(s)

Simple Download Counter * <= 2.2.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/simple-downloa...

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 10, 2025
Vulnerability Reserved
Nov 25, 2025

Credit

Camilla Flocco

JSON