EmailKit < 1.6.2 – Authenticated (Author+) Arbitrary File Read via Path Traversal | CVE 2025-14059 | Plugin Vulnerabilities

Description

The EmailKit plugin for WordPress is vulnerable to Arbitrary File Read via Path Traversal in all versions up to, and including, 1.6.1. This is due to missing path validation in the create_template REST API endpoint where user-controlled input from the emailkit-editor-template parameter is passed directly to file_get_contents() without sanitization. This makes it possible for authenticated attackers with Author-level permissions or higher to read arbitrary files on the server, including sensitive configuration files like /etc/passwd and wp-config.php, via the REST API. The file contents are stored in post meta and can be exfiltrated through MetForm's email confirmation feature.

Affects Plugins

Fixed in 1.6.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/91ebe8cb-99ec-4380-a77e-17e17144a17e

Classification

Type

FILE DELETION

OWASP top 10

A6: Security Misconfiguration

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Verified

No

WPVDB ID

9a46db7a-5749-4dd3-8225-c7d6015e8a5f

Timeline

Publicly Published

2026-01-06 (about 5 months ago)

Added

2026-01-06 (about 5 months ago)

Last Updated

2026-01-07 (about 5 months ago)

Other

Published

Title

Published

2025-07-14

Title

Alone – Charity Multipurpose Non-profit WordPress Theme < 7.8.7 - Missing Authorization to Unauthenticated Arbitrary File Deletion

Published

2025-03-25

Title

Import Export Suite for CSV and XML Datafeed < 7.19.1 - Subscriber+ Arbitrary File Deletion

Published

2025-06-24

Title

Everest Forms (Pro) < 1.9.5 - Unauthenticated Arbitrary File Deletion via Path Traversal

Published

2025-07-06

Title

WP Pipes <= 1.4.3 - Unauthenticated Arbitrary File Deletion

Published

2025-03-19

Title

Order Export & Order Import for WooCommerce < 2.6.1 - Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Deletion via admin_log_page Function