Relative Path Traversal in Delete Comments By Status Plugin by NotFound
CVE-2025-25130

7.5HIGH

Key Information:

Vendor: WordPress
Status: Delete Comments By Status
Vendor: CVE Published:; 3 March 2025

What is CVE-2025-25130?

The Delete Comments By Status plugin by NotFound has a vulnerability that enables relative path traversal, allowing unauthorized PHP Local File Inclusion. This issue impacts all versions up to 2.1.1, potentially exposing sensitive information and files on the server if exploited.

Affected Version(s)

Delete Comments By Status <= 2.1.1

References

https://patchstack.com/database/wordpress/plugin/delete-c...

vdb-entry

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Mar 3, 2025
Vulnerability Reserved
Feb 3, 2025

Credit

Dimas Maulana (Patchstack Alliance)

JSON

WordPress

What is CVE-2025-25130?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit