WordPress Plugin Vulnerabilities

Health Check & Troubleshooting <= 1.7.1 - Authenticated (Admin+) Path Traversal

Description

The Health Check & Troubleshooting plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to perform actions on files outside of the originally intended directory.

Affects Plugins

Plugin icon
health-check
No known fix

References

CVE
CVE-2025-64253
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/941aef7f-435b-4e59-8d55-f95800233c80

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
2.7 (low)

Miscellaneous

Original Researcher
PPzzAArr
Verified
No
WPVDB ID
1a4b0ff7-2e89-4256-86e9-03ffe3ebdb2e

Timeline

Publicly Published
2025-12-15 (about 4 months ago)
Added
2025-12-20 (about 4 months ago)
Last Updated
2025-12-20 (about 4 months ago)

Other

Published
Title
Published
2015-09-30
Title
mTheme-Unus Theme - Local File Inclusion (LFI)
Published
2024-10-14
Title
WordPress Gallery Plugin – Limb Image Gallery <= 1.5.7 - Authenticated (Subscriber+) Arbitrary File Download
Published
2025-02-03
Title
Paid Videochat Turnkey Site – HTML5 PPV Live Webcams < 7.3.1 - Unauthenticated Arbitrary File Deletion
Published
2024-07-03
Title
Elementor Addons by Livemesh < 8.4.1 - Authenticated (Contributor+) Limited Local File Inclusion via Widgets
Published
2015-06-10
Title
History Collection <= 1.1.1 - Arbitraty File Download