CVE-2025-14388

Summary

The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in getExtensionForURL() which operates on URL-decoded paths, and appendNormalized() which strips everything after a null byte before constructing the filesystem path. This makes it possible for unauthenticated attackers to read arbitrary files from the webroot, including wp-config.php, by appending a double URL-encoded null byte (%2500) followed by an allowed extension (.txt) to the file path.

Affected Software

VendorProductVersion RangeStatus
kiboitPhastPress0 <= 3.7affected

Weaknesses

  • CWE-158: CWE-158 Improper Neutralization of Null Byte or NUL Character

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References