{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67914", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T09:59:40.762Z", "datePublished": "2026-01-08T09:17:44.993Z", "dateUpdated": "2026-04-28T16:14:22.989Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "vidmov", "product": "VidMov", "vendor": "beeteam368", "versions": [{"changes": [{"at": "2.3.9", "status": "unaffected"}], "lessThanOrEqual": "2.3.8", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Denver Jackson | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:22:37.277Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Path Traversal: '.../...//' vulnerability in beeteam368 VidMov vidmov allows Path Traversal.<p>This issue affects VidMov: from n/a through <= 2.3.8.</p>"}], "value": "Path Traversal: '.../...//' vulnerability in beeteam368 VidMov vidmov allows Path Traversal.This issue affects VidMov: from n/a through <= 2.3.8."}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "Path Traversal"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-35", "description": "Path Traversal: '.../...//'", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:22.989Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/vidmov/vulnerability/wordpress-vidmov-theme-2-3-8-path-traversal-vulnerability?_s_id=cve"}], "title": "WordPress VidMov theme <= 2.3.8 - Path Traversal vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T18:00:38.943703Z", "id": "CVE-2025-67914", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:00:41.792Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-67914", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T18:00:38.943703Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T14:56:29.194Z"}}], "cna": {"title": "WordPress VidMov theme <= 2.3.8 - Path Traversal vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Denver Jackson | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "Path Traversal"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "beeteam368", "product": "VidMov", "versions": [{"status": "affected", "changes": [{"at": "2.3.9", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.3.8"}], "packageName": "vidmov", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:22:37.277Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/vidmov/vulnerability/wordpress-vidmov-theme-2-3-8-path-traversal-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Path Traversal: '.../...//' vulnerability in beeteam368 VidMov vidmov allows Path Traversal.This issue affects VidMov: from n/a through <= 2.3.8.", "supportingMedia": [{"type": "text/html", "value": "Path Traversal: '.../...//' vulnerability in beeteam368 VidMov vidmov allows Path Traversal.<p>This issue affects VidMov: from n/a through <= 2.3.8.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-35", "description": "Path Traversal: '.../...//'"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:13:54.468Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67914", "state": "PUBLISHED", "dateUpdated": "2026-04-27T18:00:41.792Z", "dateReserved": "2025-12-15T09:59:40.762Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-08T09:17:44.993Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Path Traversal: '.../...//' vulnerability in beeteam368 VidMov vidmov allows Path Traversal.This issue affects VidMov: from n/a through <= 2.3.8."}], "id": "CVE-2025-67914", "lastModified": "2026-04-27T18:16:48.327", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-08T10:15:50.217", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/vidmov/vulnerability/wordpress-vidmov-theme-2-3-8-path-traversal-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-35"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:20:42.795573+00:00", "value": {"mitigation_remediation": ["Upgrade the VidMov theme to version 2.3.9 or later, which removes the path traversal bug.", "If an upgrade is not immediately possible, consider deactivating or uninstalling the VidMov theme until a fix can be applied.", "Restrict file system permissions for the WordPress web process so it can only read files from trusted directories, reducing the impact if the traversal flaw were to be abused.", "Monitor web server logs for repeated '.../' or other anomalous path patterns to detect probing attacks."], "summary": {"action": "Apply Patch", "impact": "Arbitrary File Read via Path Traversal"}, "threat_synthesis": {"affected_systems": "The flaw exists in the VidMov theme released by beeteam368 and affects all installations using versions up to and including 2.3.8. Any WordPress site that has deployed this theme and has not updated beyond 2.3.8 is vulnerable.", "description_and_impact": "A pathname normalization flaw in beeteam368\u2019s VidMov WordPress theme allows an attacker to supply a crafted path containing repeated separators such as '.../...//' which can bypass directory boundaries. This vulnerability satisfies CWE-35 and can be exploited to read any file on the server that the web process can access, potentially exposing configuration files, credentials, or other sensitive data. The impact is significant because it enables non\u2011privileged attackers to disclose confidential information without authentication.", "risk_and_exploitability": "The CVSS score of 7.7 indicates a high severity risk, but the EPSS score of < 1% suggests that exploitation attempts are currently rare. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires a web request that can supply the malicious path; the server\u2019s file handling routine must be invoked by the theme\u2019s functionality. Because the attack is remote and does not require privileged access, it poses a significant threat to confidentiality for affected sites."}}}}, "created": "2026-01-09T13:25:36.895528+00:00", "updated": "2026-04-28T18:30:37.328806+00:00", "vendors": ["beeteam368", "beeteam368$PRODUCT$vidmov", "wordpress", "wordpress$PRODUCT$wordpress"]}