WPMasterToolKit (WPMTK) – All in one plugin < 2.6.0 – Authenticated (Administrator+) to Arbitrary File Read and Write | CVE 2025-3300 | Plugin Vulnerabilities

Description

The WPMasterToolKit (WPMTK) – All in one plugin plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.5.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to read and modify the contents of arbitrary files on the server, which can contain sensitive information.

Affects Plugins

wpmastertoolkit

Fixed in 2.6.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c389ba1a-45c5-4fba-9b99-0713fe39da42

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

nquangit

Verified

No

WPVDB ID

b5cbed80-454f-4156-ba43-a3f92ff9245a

Timeline

Publicly Published

2025-04-23 (about 1 year ago)

Added

2025-04-23 (about 1 year ago)

Last Updated

2025-04-30 (about 1 year ago)

Other

Published

Title

Published

2019-06-19

Title

Sina Extension For Elementor <= 2.2.0 - LFI

Published

2024-08-01

Title

WooCommerce PDF Vouchers < 4.9.5 - Unauthenticated Arbitrary File Deletion

Published

2021-10-19

Title

Images to WebP < 1.9 - Authenticated Local File Inclusion

Published

2024-06-13

Title

Folders Pro < 3.0.3 - Authenticated(Author+) Arbitrary File Upload via handle_folders_file_upload

Published

2024-04-22

Title

Conversational Forms for ChatBot < 1.2.0 - Unauthenticated Arbitrary File Download