CVE-2025-60227 HIGH

CVE-2025-60227: WordPress WP Pipes plugin <= 1.4.3 - Arbitrary File Deletion vulnerability

Vendor Thimpress
Product WP Pipes
Weakness CWE-22 · Path traversal
Published October 22, 2025
Last update April 28, 2026

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

What the vulnerability does

01Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ThimPress WP Pipes wp-pipes allows Path Traversal.This issue affects WP Pipes: from n/a through <= 1.4.3.

Explanation of Vulnerability in Simple Terms

02Summary

WP Pipes versions 1.4.3 and earlier contain a path traversal vulnerability that allows an unauthenticated attacker to cause a denial of service by making the site unresponsive or unavailable. The vulnerability requires no user interaction and can be exploited remotely over the network. Site administrators should update to a version newer than 1.4.3 as soon as possible.

What an attacker can do

03Attacker Capabilities

Make the site unavailable or unresponsive by exploiting a path traversal flaw.

Potential impact on your site

04Site Impact

Your site may become unavailable or unresponsive without warning or user action.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

October 22, 2025 CVE published
April 28, 2026 Record updated