Path Traversal Vulnerability in Hot Random Image Plugin for WordPress
CVE-2025-4419

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Hot Random Image
Vendor: CVE Published:; 22 May 2025

What is CVE-2025-4419?

The Hot Random Image plugin for WordPress has a Path Traversal vulnerability that impacts versions up to 1.9.2. It allows authenticated users with Contributor-level access or higher to exploit the 'path' parameter, leading to unauthorized access of arbitrary images outside of the designated directory. This vulnerability may expose sensitive files and could be exploited further if not patched, making it crucial for website owners to update to a secure version.

Affected Version(s)

Hot Random Image * <= 1.9.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/hot-random-ima...

https://wordpress.org/plugins/hot-random-image/#developers

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2025
Vulnerability Reserved
May 7, 2025

Credit

Kishan Vyas