{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9516", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-26T22:50:49.641Z", "datePublished": "2025-09-04T04:23:48.169Z", "dateUpdated": "2026-04-08T16:51:07.738Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:07.738Z"}, "affected": [{"vendor": "docjojo", "product": "atec Debug", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.22", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The atec Debug plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.2.22 via the 'custom_log' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to view the contents of files outside of the originally intended directory."}], "title": "atec Debug <= 1.2.22 - Authenticated (Administrator+) Arbitrary File Read", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4bf43620-34ee-4e4f-b6ee-d24fbdbc894e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/atec-debug/trunk/includes/ATEC/CONFIG.php#L327"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3355260%40atec-debug%2Ftrunk&old=3342365%40atec-debug%2Ftrunk"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-36 Absolute Path Traversal", "cweId": "CWE-36", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-08-27T19:44:06.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-03T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-04T17:16:25.487930Z", "id": "CVE-2025-9516", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-04T17:17:01.140Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9516", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-04T17:16:25.487930Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-04T17:16:56.598Z"}}], "cna": {"title": "atec Debug <= 1.2.22 - Authenticated (Administrator+) Arbitrary File Read", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "docjojo", "product": "atec Debug", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.22"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-27T19:44:06.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-03T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4bf43620-34ee-4e4f-b6ee-d24fbdbc894e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/atec-debug/trunk/includes/ATEC/CONFIG.php#L327"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3355260%40atec-debug%2Ftrunk&old=3342365%40atec-debug%2Ftrunk"}], "descriptions": [{"lang": "en", "value": "The atec Debug plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.2.22 via the 'custom_log' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to view the contents of files outside of the originally intended directory."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-36", "description": "CWE-36 Absolute Path Traversal"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:07.738Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9516", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:51:07.738Z", "dateReserved": "2025-08-26T22:50:49.641Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-04T04:23:48.169Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The atec Debug plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.2.22 via the 'custom_log' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to view the contents of files outside of the originally intended directory."}], "id": "CVE-2025-9516", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-04T10:42:35.027", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/atec-debug/trunk/includes/ATEC/CONFIG.php#L327"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3355260%40atec-debug%2Ftrunk&old=3342365%40atec-debug%2Ftrunk"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4bf43620-34ee-4e4f-b6ee-d24fbdbc894e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-36"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T03:18:18.928140+00:00", "value": {"mitigation_remediation": ["Upgrade the atec Debug plugin to the latest version (1.2.23 or newer).", "If an upgrade is not immediately feasible, remove or disable the custom_log parameter from the plugin\u2019s code or configuration to prevent arbitrary file specification.", "Ensure that only trusted administrators have access by reviewing and tightening role permissions, and consider implementing additional logging or monitoring for file access attempts."], "summary": {"action": "Apply Patch", "impact": "Arbitrary file read beyond intended directory via an authenticated administrator privilege"}, "threat_synthesis": {"affected_systems": "All WordPress installations using atec Debug versions 1.2.22 or earlier are affected, regardless of how the plugin is configured. The vulnerability is present in every version up to and including the specified release when an Administrator role exists in the site.", "description_and_impact": "The atec Debug WordPress plugin allows an authenticated user with Administrator or higher access to specify a custom_log file path via a parameter. The plugin does not sufficiently validate that the requested file resides within the expected directory, enabling reading of any file on the server. This results in disclosure of sensitive data and file contents beyond the intended scope, potentially revealing configuration files, credentials, or other private information. The weakness corresponds to path traversal (CWE\u201136).", "risk_and_exploitability": "The CVSS score of 4.9 indicates a moderate risk level. The EPSS score of less than 1% shows that exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to have valid Administrator credentials; after authentication, the attacker can craft a request containing the custom_log parameter pointing to an arbitrary file, resulting in the file\u2019s contents being returned to the victim. No additional prerequisites beyond administrator access are needed. "}}}}, "created": "2025-09-04T13:12:14.028400+00:00", "updated": "2026-04-21T03:30:26.330464+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}