WatchTowerHQ < 3.16.1 – Authenticated (Administrator+) Arbitrary File Read via 'wht_download_big_object_origin' Parameter | CVE 2025-13972 | Plugin Vulnerabilities

Description

The WatchTowerHQ plugin for WordPress is vulnerable to arbitrary file read via the 'wht_download_big_object_origin' parameter in all versions up to, and including, 3.16.0. This is due to insufficient path validation in the handle_big_object_download_request function. This makes it possible for authenticated attackers, with administrator-level access and a valid access token, to read arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys.

Affects Plugins

Fixed in 3.16.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/13fcbff8-8560-48ca-82df-8b620961d9c6

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

ChamlaVic

Verified

No

WPVDB ID

8da42213-a0e1-44cb-9795-242e52659335

Timeline

Publicly Published

2025-12-11 (about 3 months ago)

Added

2025-12-11 (about 3 months ago)

Last Updated

2026-01-13 (about 2 months ago)

Other

Published

Title

Published

2026-01-06

Title

Yoco Payments < 3.9.1 - Unauthenticated Arbitrary File Read

Published

2024-03-26

Title

Ajax Load More < 7.1.0 - Authenticated (Admin+) Directory Traversal to Arbitrary File Read

Published

2024-06-06

Title

Strategery Migrations <= 1.0 - Unauthenticated Arbitrary File Deletion

Published

2016-09-07

Title

WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader

Published

2026-03-20

Title

Scape - Multipurpose WordPress theme < 1.5.16 - Unauthenticated Arbitrary File Deletion