Path Traversal Vulnerability in WPMU DEV Smush Image Compression and Optimization
CVE-2025-22288

4.1MEDIUM

Key Information:

Vendor: WordPress
Status: Smush Image Compression And Optimization
Vendor: CVE Published:; 6 November 2025

What is CVE-2025-22288?

The Path Traversal vulnerability in WPMU DEV's Smush Image Compression and Optimization plugin allows an attacker to manipulate file paths, potentially leading to unauthorized access to sensitive files on the server. This issue affects versions from n/a to 3.17.0 and poses a significant risk to WordPress sites using the plugin, as it could be exploited to read files that should be inaccessible. Web administrators should ensure they are using a patched version to mitigate this risk.

Affected Version(s)

Smush Image Compression and Optimization <= n/a

References

https://vdp.patchstack.com/database/Wordpress/Plugin/wp-s...

vdb-entry

CVSS V3.1

Score:

4.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Nov 6, 2025
Vulnerability Reserved
Jan 3, 2025

Credit

SteveSec | Patchstack Bug Bounty Program

JSON