{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13972", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-03T15:58:53.268Z", "datePublished": "2025-12-12T03:20:40.150Z", "dateUpdated": "2026-04-08T16:36:42.928Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:36:42.928Z"}, "affected": [{"vendor": "watchtowerhq", "product": "WatchTowerHQ", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.16.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WatchTowerHQ plugin for WordPress is vulnerable to arbitrary file read via the 'wht_download_big_object_origin' parameter in all versions up to, and including, 3.16.0. This is due to insufficient path validation in the handle_big_object_download_request function. This makes it possible for authenticated attackers, with administrator-level access and a valid access token, to read arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys."}], "title": "WatchTowerHQ <= 3.16.0 - Authenticated (Administrator+) Arbitrary File Read via 'wht_download_big_object_origin' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/13fcbff8-8560-48ca-82df-8b620961d9c6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/watchtowerhq/tags/3.15.0/src/Download.php#L104"}, {"url": "https://plugins.trac.wordpress.org/browser/watchtowerhq/trunk/src/Download.php#L104"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Camilla Flocco"}], "timeline": [{"time": "2025-12-11T14:28:08.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T18:08:23.670986Z", "id": "CVE-2025-13972", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T18:17:03.501Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13972", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-15T18:08:23.670986Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T18:08:25.910Z"}}], "cna": {"title": "WatchTowerHQ <= 3.15.0 - Authenticated (Administrator+) Arbitrary File Read via 'wht_download_big_object_origin' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Camilla Flocco"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "watchtowerhq", "product": "WatchTowerHQ", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.15.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-11T14:28:08.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/13fcbff8-8560-48ca-82df-8b620961d9c6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/watchtowerhq/tags/3.15.0/src/Download.php#L104"}, {"url": "https://plugins.trac.wordpress.org/browser/watchtowerhq/trunk/src/Download.php#L104"}], "descriptions": [{"lang": "en", "value": "The WatchTowerHQ plugin for WordPress is vulnerable to arbitrary file read via the 'wht_download_big_object_origin' parameter in all versions up to, and including, 3.15.0. This is due to insufficient path validation in the handle_big_object_download_request function. This makes it possible for authenticated attackers, with administrator-level access and a valid access token, to read arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-12T03:20:40.150Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13972", "state": "PUBLISHED", "dateUpdated": "2025-12-15T18:17:03.501Z", "dateReserved": "2025-12-03T15:58:53.268Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-12T03:20:40.150Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WatchTowerHQ plugin for WordPress is vulnerable to arbitrary file read via the 'wht_download_big_object_origin' parameter in all versions up to, and including, 3.16.0. This is due to insufficient path validation in the handle_big_object_download_request function. This makes it possible for authenticated attackers, with administrator-level access and a valid access token, to read arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys."}], "id": "CVE-2025-13972", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-12T04:15:45.183", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/watchtowerhq/tags/3.15.0/src/Download.php#L104"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/watchtowerhq/trunk/src/Download.php#L104"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/13fcbff8-8560-48ca-82df-8b620961d9c6?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:17:13.835095+00:00", "value": {"mitigation_remediation": ["Upgrade the WatchTowerHQ plugin to a version newer than 3.16.0 that contains the path\u2011validation fix.", "Revoke or reduce administrator privileges for accounts that do not require full control, enforcing the principle of least privilege. ", "Review and restrict file permissions on the WordPress installation, ensuring that the web server account has no unnecessary read access to sensitive files; apply additional protections such as .htaccess or server\u2011level controls where appropriate."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Read"}, "threat_synthesis": {"affected_systems": "All versions of the WatchTowerHQ WordPress plugin up to and including 3.16.0 are affected. The vulnerability is present in the plugin regardless of the WordPress installation version, and any site running the affected plugin will be susceptible.", "description_and_impact": "The WatchTowerHQ plugin for WordPress contains an insufficient path validation flaw in the handle_big_object_download_request function. This flaw allows an attacker who is authenticated as an administrator and possesses a valid access token to read any file on the server by providing a crafted 'wht_download_big_object_origin' parameter. The attacker could expose sensitive data such as database credentials or authentication keys.", "risk_and_exploitability": "With a CVSS score of 4.9, the vulnerability is considered moderate in severity, and the EPSS score of less than 1% indicates a very low likelihood of exploitation at this time. The flaw is not listed in the CISA KEV catalogue, further suggesting limited public exploitation. However, the requirement for administrator-level access means that only a subset of users could exploit this vulnerability, and successful exploitation would provide the attacker with read access to arbitrary files on the underlying server, potentially exposing critical configuration files and credentials. Since the flaw is limited to authenticated users, an attacker would first need to compromise or obtain credentials with administrative privileges to trigger the path traversal bug."}}}}, "created": "2025-12-12T08:48:24.153865+00:00", "updated": "2026-04-22T16:30:22.135995+00:00", "vendors": ["watchtowerhq", "watchtowerhq$PRODUCT$watchtower", "wordpress", "wordpress$PRODUCT$wordpress"]}