{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14388", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-09T20:27:24.165Z", "datePublished": "2025-12-23T09:20:03.420Z", "dateUpdated": "2026-04-08T17:31:49.693Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:49.693Z"}, "affected": [{"vendor": "kiboit", "product": "PhastPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in `getExtensionForURL()` which operates on URL-decoded paths, and `appendNormalized()` which strips everything after a null byte before constructing the filesystem path. This makes it possible for unauthenticated attackers to read arbitrary files from the webroot, including wp-config.php, by appending a double URL-encoded null byte (%2500) followed by an allowed extension (.txt) to the file path."}], "title": "PhastPress <= 3.7 - Unauthenticated Arbitrary File Read via Null Byte Injection", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eec9bbc0-5a68-4624-a672-bd6227d6fa45?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9641"}, {"url": "https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9608"}, {"url": "https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9570"}, {"url": "https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9597"}, {"url": "https://plugins.trac.wordpress.org/changeset/3418139"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-158 Improper Neutralization of Null Byte or NUL Character", "cweId": "CWE-158", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Angus Girvan"}], "timeline": [{"time": "2025-12-11T19:39:08.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-22T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-23T15:23:48.390593Z", "id": "CVE-2025-14388", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-23T15:23:55.604Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14388", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-12-23T15:23:48.390593Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-23T15:23:51.757Z"}}], "cna": {"title": "PhastPress <= 3.7 - Unauthenticated Arbitrary File Read via Null Byte Injection", "credits": [{"lang": "en", "type": "finder", "value": "Angus Girvan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "kiboit", "product": "PhastPress", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-11T19:39:08.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-22T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eec9bbc0-5a68-4624-a672-bd6227d6fa45?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9641"}, {"url": "https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9608"}, {"url": "https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9570"}, {"url": "https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9597"}, {"url": "https://plugins.trac.wordpress.org/changeset/3418139"}], "descriptions": [{"lang": "en", "value": "The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in `getExtensionForURL()` which operates on URL-decoded paths, and `appendNormalized()` which strips everything after a null byte before constructing the filesystem path. This makes it possible for unauthenticated attackers to read arbitrary files from the webroot, including wp-config.php, by appending a double URL-encoded null byte (%2500) followed by an allowed extension (.txt) to the file path."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-158", "description": "CWE-158 Improper Neutralization of Null Byte or NUL Character"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:49.693Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14388", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:31:49.693Z", "dateReserved": "2025-12-09T20:27:24.165Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-23T09:20:03.420Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in `getExtensionForURL()` which operates on URL-decoded paths, and `appendNormalized()` which strips everything after a null byte before constructing the filesystem path. This makes it possible for unauthenticated attackers to read arbitrary files from the webroot, including wp-config.php, by appending a double URL-encoded null byte (%2500) followed by an allowed extension (.txt) to the file path."}], "id": "CVE-2025-14388", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-23T10:15:43.673", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9570"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9597"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9608"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9641"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3418139"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eec9bbc0-5a68-4624-a672-bd6227d6fa45?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-158"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:20:52.129086+00:00", "value": {"mitigation_remediation": ["Update the PhastPress plugin to a version newer than 3.7 or replace it with a secure alternative. ", "If an upgrade is not available, disable or uninstall PhastPress to eliminate the vulnerability. ", "Implement additional input validation or server\u2011side filtering to reject null byte characters (%00) in URLs before they reach the plugin\u2019s file\u2011access logic, thereby mitigating the risk of null byte injection."], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated Arbitrary File Read"}, "threat_synthesis": {"affected_systems": "The affected product is the PhastPress WordPress plugin developed by Kiboit. All releases up to and including version 3.7 of the plugin are affected. WordPress sites that have not upgraded beyond 3.7 while the plugin remains active are at risk.", "description_and_impact": "The PhastPress plugin for WordPress is vulnerable to an unauthenticated arbitrary file read via null byte injection in all releases up to and including version 3.7. The flaw originates from a mismatch between the extension validation logic, which operates on URL\u2011decoded paths, and the path\u2011construction routine that strips content after a null byte. An attacker can craft a URL containing a double URL\u2011encoded null byte (%2500) followed by a permitted extension and cause the plugin to read and return any file from the webroot, including sensitive files such as wp-config.php. This exposes confidential configuration data and could enable further compromise.", "risk_and_exploitability": "The CVSS base score is 9.8, marking the flaw as critical. The EPSS score is below 1\u202f%, indicating a low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Still, the attack is straightforward: an unauthenticated visitor can send a crafted request with a double\u2011encoded null byte and an allowed extension to the site, triggering the plugin to read arbitrary files from the webroot. No authentication, privileged access, or complex configuration is required for exploitation."}}}}, "created": "2025-12-23T22:39:45.712101+00:00", "updated": "2026-04-20T21:30:18.568683+00:00", "vendors": ["kiboit", "kiboit$PRODUCT$phastpress", "wordpress", "wordpress$PRODUCT$wordpress"]}