{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11973", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-20T15:47:04.960Z", "datePublished": "2025-11-21T08:28:12.074Z", "dateUpdated": "2026-04-08T16:58:05.517Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:58:05.517Z"}, "affected": [{"vendor": "zhengdon", "product": "\u7b80\u6570\u91c7\u96c6\u5668", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.6.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The \u7b80\u6570\u91c7\u96c6\u5668 plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.6.3 via the __kds_flag functionality that imports featured images. This makes it possible for authenticated attackers, with Adminstrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information."}], "title": "\u7b80\u6570\u91c7\u96c6\u5668 <= 2.6.3 - Authenticated (Admin+) Arbitrary File Read", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/66dc2ca2-c61c-4c73-aa2a-0017299cbca5?source=cve"}, {"url": "https://wordpress.org/plugins/keydatas/"}, {"url": "https://plugins.trac.wordpress.org/browser/gallery-photo-gallery/trunk/includes/lists/class-gallery-photo-gallery-list-table.php#L1060"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-73 External Control of File Name or Path", "cweId": "CWE-73", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-11-20T19:31:53.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-21T15:31:00.266349Z", "id": "CVE-2025-11973", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-24T18:00:55.249Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11973", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-21T15:31:00.266349Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-21T15:31:02.589Z"}}], "cna": {"title": "\u7b80\u6570\u91c7\u96c6\u5668 <= 2.6.3 - Authenticated (Admin+) Arbitrary File Read", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "zhengdon", "product": "\u7b80\u6570\u91c7\u96c6\u5668", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.6.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-20T19:31:53.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/66dc2ca2-c61c-4c73-aa2a-0017299cbca5?source=cve"}, {"url": "https://wordpress.org/plugins/keydatas/"}, {"url": "https://plugins.trac.wordpress.org/browser/gallery-photo-gallery/trunk/includes/lists/class-gallery-photo-gallery-list-table.php#L1060"}], "descriptions": [{"lang": "en", "value": "The \u7b80\u6570\u91c7\u96c6\u5668 plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.6.3 via the __kds_flag functionality that imports featured images. This makes it possible for authenticated attackers, with Adminstrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "CWE-73 External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:58:05.517Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11973", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:58:05.517Z", "dateReserved": "2025-10-20T15:47:04.960Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-21T08:28:12.074Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The \u7b80\u6570\u91c7\u96c6\u5668 plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.6.3 via the __kds_flag functionality that imports featured images. This makes it possible for authenticated attackers, with Adminstrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information."}], "id": "CVE-2025-11973", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-21T09:15:46.193", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/gallery-photo-gallery/trunk/includes/lists/class-gallery-photo-gallery-list-table.php#L1060"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/keydatas/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/66dc2ca2-c61c-4c73-aa2a-0017299cbca5?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-73"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T11:56:47.763464+00:00", "value": {"mitigation_remediation": ["Update the \u7b80\u6570\u91c7\u96c6\u5668 plugin to a version newer than 2.6.3, preferably the latest release that includes the file read remediation.", "If an immediate update is not possible, remove or disable the __kds_flag import feature, or enforce stricter file path validation.", "Reduce the number of users with Administrator or higher privileges; review user accounts to ensure only trusted individuals hold such roles."], "summary": {"action": "Immediate Patch", "impact": "Authenticated arbitrary file read"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the \u7b80\u6570\u91c7\u96c6\u5668 plugin installed in any version 2.6.3 or earlier. The vulnerability affects all installations that have enabled the __kds_flag import functionality, regardless of the WordPress version. The vendor is Zhengdon.", "description_and_impact": "The simplified data collector plugin for WordPress (\u7b80\u6570\u91c7\u96c6\u5668) contains a flaw in its __kds_flag feature, which is used when importing featured images. An attacker who can log in with at least Administrator privileges can supply a specially crafted request that causes the plugin to read any file on the server. Read access to arbitrary files can expose configuration files, credentials, or other sensitive data, compromising confidentiality of the site and potentially the underlying server.", "risk_and_exploitability": "The flaw has a moderate CVSS base score of 4.9 and an EPSS score below 1%, indicating a low likelihood of widespread exploitation. It is not listed in the CISA KEV catalog. The attack requires authenticated access with Administrator or higher role, so the likelihood is limited to privileged users. Because the plugin\u2019s relative path handling is unchecked, an attacker can read files outside the webroot. If the site configuration allows, this could expose secrets or private data."}}}}, "created": "2025-11-24T09:09:17.576583+00:00", "updated": "2026-04-22T12:00:05.911889+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}