WOLF – WordPress Posts Bulk Editor and Manager Professional < 1.0.8.6 – Authenticated (Editor+) Path Traversal | CVE 2025-24605 | Plugin Vulnerabilities

Description

The WOLF – WordPress Posts Bulk Editor and Manager Professional plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0.8.5. This makes it possible for authenticated attackers, with Editor-level access and above, to perform actions on files outside of the originally intended directory.

Affects Plugins

Fixed in 1.0.8.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/a821d61c-e3c8-4a1b-8a52-a63adcb6c127

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Trương Hữu Phúc (truonghuuphuc)

Verified

No

WPVDB ID

b5e4f761-5e2c-4121-abc8-218257eff2f0

Timeline

Publicly Published

2024-12-27 (about 1 year ago)

Added

2025-02-25 (about 1 year ago)

Last Updated

2025-02-25 (about 1 year ago)

Other

Published

Title

Published

2024-06-06

Title

SC filechecker <= 0.6 - Authenticated (Admin+) Arbitrary File Deletion

Published

2024-08-09

Title

Web Directory Free < 1.7.3 - Unauthenticated LFI

Published

2025-09-26

Title

Workreap < 3.3.6 - Authenticated (Subscriber+) Arbitrary File Deletion

Published

2014-08-01

Title

Cross RSS 1.7 - proxy.php rss Parameter Local File Inclusion

Published

2025-08-19

Title

Redirection for Contact Form 7 < 3.2.5 - Unauthenticated Arbitrary File Deletion