WordPress Plugin Vulnerabilities

Security Ninja 5.201 - 5.242 - Admin+ Arbitrary File Read

Description

The plugin is vulnerable to Arbitrary File Read via the 'get_file_source' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to extract sensitive data, including the contents of any file on the server.

Affects Plugins

Plugin icon
security-ninja
Fixed in 5.243

References

CVE
CVE-2025-8009
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/51ee45f8-9978-48ec-8f87-229dc82938a8

Classification

Type
FILE DOWNLOAD
OWASP top 10
A1: Injection
CWE
CWE-552
CVSS
4.9 (medium)

Miscellaneous

Original Researcher
Jonas Benjamin Friedli
Verified
No
WPVDB ID
ca3a184e-668a-4fe7-87f2-79dffa18642d

Timeline

Publicly Published
2025-07-23 (about 9 months ago)
Added
2025-07-24 (about 9 months ago)
Last Updated
2025-07-24 (about 9 months ago)

Other

Published
Title
Published
2025-03-04
Title
Downloable by American Osteopathic Association <= 0.1.0 - Unauthenticated Arbitrary File Download
Published
2022-01-06
Title
RVM - Responsive Vector Maps < 6.4.2 - Subscriber+ Arbitrary File Read
Published
2022-04-12
Title
WPvivid Backup and Migration Plugin < 0.9.71 - Admin+ Arbitrary File Download
Published
2023-06-12
Title
wpForo Forum < 2.1.8 - Subscriber+ Arbitrary File Read, Author+ PHAR Deserialization, and Subscriber+ Server-Side Request Forgery via file_get_contents
Published
2022-11-28
Title
Wholesale Market for WooCommerce < 1.0.7 - Unauthenticated Arbitrary File Download