WordPress Plugin Vulnerabilities

Simple Download Counter < 2.2.3 - Authenticated (Administrator+) Arbitrary File Read via Path Traversal

Description

The Simple Download Counter plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.2.2. This is due to insufficient path validation in the `simple_download_counter_parse_path()` function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which may contain sensitive information such as database credentials (wp-config.php) or system files. Please note that the vendor opted to continue to allow remote file downloads from arbitrary locations on the server, however, has disabled this functionality on multi-sites and provided a warning to site owners in the readme.txt when they install the plugin. While not an optimal patch, we have considered this sufficient and recommend users proceed to use the plugin with caution.

Affects Plugins

Plugin icon
simple-download-counter
Fixed in 2.2.3

References

CVE
CVE-2025-13677
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b82a0f71-29d7-469a-8c69-5ab68d599cb9

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
4.9 (medium)

Miscellaneous

Original Researcher
ChamlaVic
Verified
No
WPVDB ID
35eeb7e9-39fc-4786-b8a6-858ed0122003

Timeline

Publicly Published
2025-12-09 (about 6 months ago)
Added
2025-12-09 (about 6 months ago)
Last Updated
2025-12-10 (about 6 months ago)

Other

Published
Title
Published
2025-01-31
Title
Jupiterx Core < 4.8.8 - Authenticated (Contributor+) Arbitrary File Read
Published
2015-06-10
Title
RobotCPA Plugin V5 - Unauthenticated Local File Inclusion
Published
2014-12-29
Title
Sell Downloads 1.0.1 - Arbitrary File Disclosure
Published
2025-04-10
Title
InstaWP Connect < 0.1.0.86 - Unauthenticated Local PHP File Inclusion
Published
2026-06-15
Title
WANotifier < 2.6 - Subscriber+ LFI