CVE-2025-64253

Health Check & Troubleshooting <= 1.7.1 - Authenticated (Admin+) Path Traversal

lowImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
2.7
CVSS Score
2.7
CVSS Score
low
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Health Check & Troubleshooting plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.7.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to perform actions on files outside of the originally intended directory.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.7.1
PublishedDecember 15, 2025
Last updatedDecember 20, 2025
Affected pluginhealth-check
Research Plan
Unverified

# Exploitation Research Plan - CVE-2025-64253 ## 1. Vulnerability Summary The **Health Check & Troubleshooting** plugin for WordPress (versions <= 1.7.1) is vulnerable to **Path Traversal**. Specifically, the plugin's troubleshooting logging functionality fails to properly sanitize file paths provi…

Show full research plan

Exploitation Research Plan - CVE-2025-64253

1. Vulnerability Summary

The Health Check & Troubleshooting plugin for WordPress (versions <= 1.7.1) is vulnerable to Path Traversal. Specifically, the plugin's troubleshooting logging functionality fails to properly sanitize file paths provided by users in administrative actions. While restricted to Administrator-level users, the vulnerability allows performing actions (such as viewing or potentially deleting/manipulating files) outside of the intended logging directory by using ../ sequences. The CVSS score suggests an Integrity impact (I:L), likely via a file deletion or existence-checking mechanism that bypasses intended directory constraints.

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php
  • Vulnerable Action: health-check-view-log (inferred from common troubleshooting patterns) or a related administrative cleanup action.
  • Vulnerable Parameter: log or file.
  • Required Authentication: Administrator (capability manage_options).
  • Preconditions: Troubleshooting mode must be active, or a troubleshooting log must have been generated to expose the relevant UI and nonces.

3. Code Flow

  1. Entry Point: An administrator interacts with the "Troubleshooting" or "Tools" tab in the Site Health screen.
  2. AJAX Registration: In includes/class-health-check.php, the plugin registers AJAX handlers such as `wp_ajax_health
Research Findings
Static analysis — not yet PoC-verified

Summary

The Health Check & Troubleshooting plugin for WordPress is vulnerable to Path Traversal via administrative AJAX actions used for managing troubleshooting logs. Authenticated administrators can use dot-dot-slash (../) sequences in log-related parameters to perform actions on files outside the intended logging directory, potentially leading to unauthorized file manipulation or deletion.

Vulnerable Code

// includes/class-health-check.php (Approximate location based on research plan)
public function handle_log_action() {
    check_ajax_referer( 'health-check-view-log' );
    if ( ! current_user_can( 'manage_options' ) ) {
        wp_die();
    }

    $log_file = $_POST['log'];
    $log_path = WP_CONTENT_DIR . '/health-check-logs/' . $log_file;

    if ( file_exists( $log_path ) ) {
        // Vulnerable action (e.g., viewing or deleting)
        echo file_get_contents( $log_path );
    }
    wp_die();
}

Security Fix

--- includes/class-health-check.php
+++ includes/class-health-check.php
@@ -102,1 +102,1 @@
-    $log_file = $_POST['log'];
+    $log_file = sanitize_file_name( $_POST['log'] );

Exploit Outline

To exploit this vulnerability, an attacker must first obtain Administrator-level privileges (capability 'manage_options'). The attacker then triggers an AJAX request to the wp-admin/admin-ajax.php endpoint using an action related to troubleshooting logs (e.g., 'health-check-view-log'). By providing a payload such as '../../../../wp-config.php' in the 'log' or 'file' parameter, and including the required security nonce, the attacker can bypass the intended log directory to access or delete sensitive files on the server, depending on the specific file operation performed by the handler.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.