WordPress Plugin Vulnerabilities

Category Icon < 1.0.2 - Author+ Arbitrary File Download

Description

The plugin is vulnerable to Path Traversal. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

Affects Plugins

Plugin icon
category-icon
Fixed in 1.0.2

References

CVE
CVE-2025-31825
URL
https://patchstack.com/database/wordpress/plugin/category-icon/vulnerability/wordpress-category-icon-plugin-1-0-0-arbitrary-file-download-vulnerability

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
4.9 (medium)

Miscellaneous

Original Researcher
minhtuanact
Verified
No
WPVDB ID
88831d7b-9344-4025-aef6-a8fc889b1c5c

Timeline

Publicly Published
2025-04-03 (about 1 year ago)
Added
2025-04-08 (about 1 year ago)
Last Updated
2025-05-20 (about 1 year ago)

Other

Published
Title
Published
2025-04-23
Title
Database Toolset <= 1.8.4 - Unauthenticated Arbitrary File Deletion
Published
2025-06-22
Title
Download Counter <= 1.4 - Unauthenticated Arbitrary File Read
Published
2025-07-07
Title
Easy Video Player Wordpress & WooCommerce <= 10.0 - Unauthenticated Arbitrary File Download
Published
2014-12-02
Title
Wordpress CodeArt Google MP3 Player - File Disclosure
Published
2018-04-06
Title
WP Background Takeover <= 4.1.4 - Directory Traversal