PhastPress < 3.8 – Unauthenticated Arbitrary File Read via Null Byte Injection | CVE 2025-14388 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Unauthenticated Arbitrary File Read via null byte injection is due to a discrepancy between the extension validation in `getExtensionForURL()` which operates on URL-decoded paths, and `appendNormalized()` which strips everything after a null byte before constructing the filesystem path. This makes it possible for unauthenticated attackers to read arbitrary files from the webroot, including wp-config.php, by appending a double URL-encoded null byte (%2500) followed by an allowed extension (.txt) to the file path.

Affects Plugins

Fixed in 3.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/eec9bbc0-5a68-4624-a672-bd6227d6fa45

Classification

Type

FILE DOWNLOAD

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

shark3y

Verified

No

WPVDB ID

ba8863ea-de8b-4d1b-9cb5-c2cb26b26f05

Timeline

Publicly Published

2025-12-22 (about 6 months ago)

Added

2025-12-22 (about 6 months ago)

Last Updated

2025-12-22 (about 6 months ago)

Other

Published

Title

Published

2026-01-06

Title

WP-Members Membership Plugin < 3.5.4.5 - Unauthenticated Information Exposure via Unprotected Files

Published

2022-09-19

Title

Download Monitor < 4.5.98 - Admin+ Arbitrary File Download

Published

2022-08-01

Title

Lana Downloads Manager < 1.8.0 - Contributor+ Arbitrary File Download

Published

2022-12-12

Title

Wholesale Market < 2.2.1 - Unauthenticated Arbitrary File Download

Published

2022-01-06

Title

RVM - Responsive Vector Maps < 6.4.2 - Subscriber+ Arbitrary File Read