CVE-2025-64230 HIGH

CVE-2025-64230: WordPress Filr plugin <= 1.2.10 - Arbitrary File Deletion vulnerability

Vendor Wp Chill
Product Filr
Weakness CWE-22 · Path traversal
Published December 18, 2025
Last update April 28, 2026

CVSS base score

7.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

What the vulnerability does

01Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Chill Filr filr-protection allows Path Traversal.This issue affects Filr: from n/a through <= 1.2.10.

Explanation of Vulnerability in Simple Terms

02Summary

Filr versions up to 1.2.10 contain a path traversal vulnerability that allows authenticated users to cause a denial of service by accessing files outside the intended directory. An attacker with low-level credentials can trigger this flaw without user interaction. The vulnerability affects the availability of the application across multiple components due to its changed scope.

What an attacker can do

03Attacker Capabilities

Authenticated user can access files outside the intended directory and cause the application to become unavailable.

Potential impact on your site

04Site Impact

Users may experience service disruptions or unavailability if an authenticated attacker exploits this path traversal flaw.

Conditions required to exploit

05Prerequisites

Attacker must have a valid user account with low-level privileges; no user interaction required.

Key dates

06Disclosure timeline

December 18, 2025 CVE published
April 28, 2026 Record updated

Related vulnerabilities

08Related CVE