Health Check & Troubleshooting <= 1.7.1 - Authenticated (Admin+) Path Traversal
Description
The Health Check & Troubleshooting plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to perform actions on files outside of the originally intended directory.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.7.1# Exploitation Research Plan - CVE-2025-64253 ## 1. Vulnerability Summary The **Health Check & Troubleshooting** plugin for WordPress (versions <= 1.7.1) is vulnerable to **Path Traversal**. Specifically, the plugin's troubleshooting logging functionality fails to properly sanitize file paths provi…
Show full research plan
Exploitation Research Plan - CVE-2025-64253
1. Vulnerability Summary
The Health Check & Troubleshooting plugin for WordPress (versions <= 1.7.1) is vulnerable to Path Traversal. Specifically, the plugin's troubleshooting logging functionality fails to properly sanitize file paths provided by users in administrative actions. While restricted to Administrator-level users, the vulnerability allows performing actions (such as viewing or potentially deleting/manipulating files) outside of the intended logging directory by using ../ sequences. The CVSS score suggests an Integrity impact (I:L), likely via a file deletion or existence-checking mechanism that bypasses intended directory constraints.
2. Attack Vector Analysis
- Endpoint:
wp-admin/admin-ajax.php - Vulnerable Action:
health-check-view-log(inferred from common troubleshooting patterns) or a related administrative cleanup action. - Vulnerable Parameter:
logorfile. - Required Authentication: Administrator (capability
manage_options). - Preconditions: Troubleshooting mode must be active, or a troubleshooting log must have been generated to expose the relevant UI and nonces.
3. Code Flow
- Entry Point: An administrator interacts with the "Troubleshooting" or "Tools" tab in the Site Health screen.
- AJAX Registration: In
includes/class-health-check.php, the plugin registers AJAX handlers such as `wp_ajax_health
Summary
The Health Check & Troubleshooting plugin for WordPress is vulnerable to Path Traversal via administrative AJAX actions used for managing troubleshooting logs. Authenticated administrators can use dot-dot-slash (../) sequences in log-related parameters to perform actions on files outside the intended logging directory, potentially leading to unauthorized file manipulation or deletion.
Vulnerable Code
// includes/class-health-check.php (Approximate location based on research plan) public function handle_log_action() { check_ajax_referer( 'health-check-view-log' ); if ( ! current_user_can( 'manage_options' ) ) { wp_die(); } $log_file = $_POST['log']; $log_path = WP_CONTENT_DIR . '/health-check-logs/' . $log_file; if ( file_exists( $log_path ) ) { // Vulnerable action (e.g., viewing or deleting) echo file_get_contents( $log_path ); } wp_die(); }
Security Fix
@@ -102,1 +102,1 @@ - $log_file = $_POST['log']; + $log_file = sanitize_file_name( $_POST['log'] );
Exploit Outline
To exploit this vulnerability, an attacker must first obtain Administrator-level privileges (capability 'manage_options'). The attacker then triggers an AJAX request to the wp-admin/admin-ajax.php endpoint using an action related to troubleshooting logs (e.g., 'health-check-view-log'). By providing a payload such as '../../../../wp-config.php' in the 'log' or 'file' parameter, and including the required security nonce, the attacker can bypass the intended log directory to access or delete sensitive files on the server, depending on the specific file operation performed by the handler.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.