CRITICAL🇵🇱 Wersja polska

CVE-2025-14388

CVSS 9.8v3.1pub. 2025-12-23upd. 2026-04-15

The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in `getExtensionForURL()` which operates on URL-decoded paths, and `appendNormalized()` which strips everything after a null byte before constructing the filesystem path. This makes it possible for unauthenticated attackers to read arbitrary files from the webroot, including wp-config.php, by appending a double URL-encoded null byte (%2500) followed by an allowed extension (.txt) to the file path.

🤖 AI Analysis
How it works

The vulnerability stems from an inconsistency between two functions processing file paths: `getExtensionForURL()` validates the extension on the decoded URL path, while `appendNormalized()` truncates the path when encountering a null byte before building the actual system path. An attacker can append a double-encoded null byte (`%2500`) to the requested path followed by an allowed extension (e.g., `.txt`), which causes the extension validation to be satisfied, but the file system reads the file indicated before the null byte. As a result, access to arbitrary files in the webroot directory is possible without any authentication.

Impact

An unauthenticated attacker can read arbitrary files accessible from the webroot level, including the critical wp-config.php file containing database credentials, WordPress secret keys and other sensitive configuration data, which can lead to complete application takeover.

Mitigation & patch

The PhastPress plugin should be updated to a version higher than 3.7. According to available references, the fix was introduced in changeset 3418139. Until the update, temporary plugin deactivation should be considered.

Who is affected

PhastPress plugin for WordPress in all versions up to and including 3.7.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References