CVE-2025-3897

The EUCookieLaw plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.7.2 via the 'file_get_contents' function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. The vulnerability can only be exploited if a caching plugin such as W3 Total Cache is installed and activated.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/eucookielaw/trunk/templates/EUCookieCache.php#L26
https://plugins.trac.wordpress.org/changeset/3288917/
https://www.wordfence.com/threat-intel/vulnerabilities/id/d360de79-8490-4e70-b2d9-4f01a1ed3305?source=cve

Configurations

No configuration.

History

12 May 2025, 17:32

Type	Values Removed	Values Added
Summary		(es) El complemento EUCookieLaw para WordPress es vulnerable a la lectura arbitraria de archivos en todas las versiones hasta la 2.7.2 incluida, mediante la función 'file_get_contents'. Esto permite a atacantes no autenticados leer el contenido de archivos arbitrarios en el servidor, que pueden contener información confidencial. Esta vulnerabilidad solo se puede explotar si se instala y activa un complemento de caché como W3 Total Cache.

09 May 2025, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-09 12:15

Updated : 2025-05-12 17:32

NVD link : CVE-2025-3897

Mitre link : CVE-2025-3897

CVE.ORG link : CVE-2025-3897

JSON object : View

Products Affected

No product.

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

5.9 /10