Path Traversal Vulnerability in EmailKit Plugin for WordPress
CVE-2025-14059

6.5MEDIUM

Key Information:

Vendor

WordPress
Status
Emailkit – Email Customizer For WooCommerce & WP
Vendor
CVE Published:
7 January 2026

What is CVE-2025-14059?

The EmailKit plugin for WordPress is exposed to a significant security flaw that allows authenticated attackers with Author-level permissions or higher to perform Arbitrary File Read operations. This vulnerability arises from inadequate path validation in the create_template REST API endpoint. User-controlled input from the emailkit-editor-template parameter is passed directly to the file_get_contents() function without proper sanitization, enabling attackers to access sensitive files on the server, like /etc/passwd and wp-config.php. The exfiltrated data can be stored in post meta and accessed through MetForm's email confirmation feature, posing a serious risk to the confidentiality and integrity of the WordPress environment.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

EmailKit – Email Customizer for WooCommerce & WP * <= 1.6.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/emailkit/trunk...
https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dmitrii Ignatyev
JSON
.