Arbitrary File Download Vulnerability in WP01 Plugin for WordPress
CVE-2025-2267

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: WP01 – Speed, Security, Seo Consultant
Vendor: CVE Published:; 15 March 2025

What is CVE-2025-2267?

The WP01 plugin for WordPress is susceptible to an Arbitrary File Download vulnerability due to inadequate capability verification and improper restrictions on the make_archive() function. This security flaw enables authenticated attackers with Subscriber-level access or higher to download and access arbitrary files on the server, which potentially exposes sensitive data. The issue persists in all versions up to and including 2.6.2, requiring immediate attention to safeguard server integrity.

Affected Version(s)

WP01 – Speed, Security, SEO consultant * <= 2.6.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wp01/trunk/inc...

https://wordpress.org/plugins/wp01/

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 15, 2025
Vulnerability Reserved
Mar 12, 2025

Credit

Youcef Hamdani