Path Traversal Vulnerability in Simple Download Counter Plugin for WordPress
CVE-2025-13677

4.9MEDIUM

Key Information:

Vendor: WordPress
Status: Simple Download Counter
Vendor: CVE Published:; 10 December 2025

What is CVE-2025-13677?

The Simple Download Counter plugin for WordPress is vulnerable to a Path Traversal issue due to inadequate path validation in the simple_download_counter_parse_path() function. This vulnerability allows authenticated attackers with Administrator privileges to access arbitrary files on the server, potentially exposing sensitive information such as database credentials found in the wp-config.php file or other critical system files. The vendor has made efforts to mitigate the risk by disabling remote file downloads from arbitrary locations on multi-site installations, and provided warnings for site owners in the readme.txt upon installation of the plugin. However, users are advised to exercise caution when using this plugin.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Simple Download Counter * <= 2.2.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/simple-downloa...

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 10, 2025
Vulnerability Reserved
Nov 25, 2025

Credit

Camilla Flocco

JSON

WordPress

What is CVE-2025-13677?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.