Search criteria
4 vulnerabilities found for PhastPress by kiboit
CVE-2025-14388 (GCVE-0-2025-14388)
Vulnerability from nvd – Published: 2025-12-23 09:20 – Updated: 2025-12-23 15:23
VLAI?
Title
PhastPress <= 3.7 - Unauthenticated Arbitrary File Read via Null Byte Injection
Summary
The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in `getExtensionForURL()` which operates on URL-decoded paths, and `appendNormalized()` which strips everything after a null byte before constructing the filesystem path. This makes it possible for unauthenticated attackers to read arbitrary files from the webroot, including wp-config.php, by appending a double URL-encoded null byte (%2500) followed by an allowed extension (.txt) to the file path.
Severity ?
9.8 (Critical)
CWE
- CWE-158 - Improper Neutralization of Null Byte or NUL Character
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| kiboit | PhastPress |
Affected:
* , ≤ 3.7
(semver)
|
Credits
Angus Girvan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14388",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-23T15:23:48.390593Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T15:23:55.604Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PhastPress",
"vendor": "kiboit",
"versions": [
{
"lessThanOrEqual": "3.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Angus Girvan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in `getExtensionForURL()` which operates on URL-decoded paths, and `appendNormalized()` which strips everything after a null byte before constructing the filesystem path. This makes it possible for unauthenticated attackers to read arbitrary files from the webroot, including wp-config.php, by appending a double URL-encoded null byte (%2500) followed by an allowed extension (.txt) to the file path."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-158",
"description": "CWE-158 Improper Neutralization of Null Byte or NUL Character",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T09:20:03.420Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eec9bbc0-5a68-4624-a672-bd6227d6fa45?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9641"
},
{
"url": "https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9608"
},
{
"url": "https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9570"
},
{
"url": "https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9597"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3418139"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-11T19:39:08.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-12-22T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "PhastPress \u003c= 3.7 - Unauthenticated Arbitrary File Read via Null Byte Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14388",
"datePublished": "2025-12-23T09:20:03.420Z",
"dateReserved": "2025-12-09T20:27:24.165Z",
"dateUpdated": "2025-12-23T15:23:55.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-24210 (GCVE-0-2021-24210)
Vulnerability from nvd – Published: 2021-04-05 18:27 – Updated: 2024-08-03 19:21
VLAI?
Title
PhastPress < 1.111 - Open Redirect
Summary
There is an open redirect in the PhastPress WordPress plugin before 1.111 that allows an attacker to malform a request to a page with the plugin and then redirect the victim to a malicious page. There is also a support comment from another user one year ago (https://wordpress.org/support/topic/phast-php-used-for-remote-fetch/) that says that the php involved in the request only go to whitelisted pages but it's possible to redirect the victim to any domain.
Severity ?
No CVSS data available.
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | PhastPress |
Affected:
1.111 , < 1.111
(custom)
|
Credits
Felipe Restrepo Rodriguez
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:21:18.865Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/9b3c5412-8699-49e8-b60c-20d2085857fb"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2497610/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PhastPress",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.111",
"status": "affected",
"version": "1.111",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Felipe Restrepo Rodriguez"
}
],
"descriptions": [
{
"lang": "en",
"value": "There is an open redirect in the PhastPress WordPress plugin before 1.111 that allows an attacker to malform a request to a page with the plugin and then redirect the victim to a malicious page. There is also a support comment from another user one year ago (https://wordpress.org/support/topic/phast-php-used-for-remote-fetch/) that says that the php involved in the request only go to whitelisted pages but it\u0027s possible to redirect the victim to any domain."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-05T18:27:47.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/9b3c5412-8699-49e8-b60c-20d2085857fb"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://plugins.trac.wordpress.org/changeset/2497610/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "PhastPress \u003c 1.111 - Open Redirect",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24210",
"STATE": "PUBLIC",
"TITLE": "PhastPress \u003c 1.111 - Open Redirect"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PhastPress",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.111",
"version_value": "1.111"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Felipe Restrepo Rodriguez"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "There is an open redirect in the PhastPress WordPress plugin before 1.111 that allows an attacker to malform a request to a page with the plugin and then redirect the victim to a malicious page. There is also a support comment from another user one year ago (https://wordpress.org/support/topic/phast-php-used-for-remote-fetch/) that says that the php involved in the request only go to whitelisted pages but it\u0027s possible to redirect the victim to any domain."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/9b3c5412-8699-49e8-b60c-20d2085857fb",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/9b3c5412-8699-49e8-b60c-20d2085857fb"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2497610/",
"refsource": "MISC",
"url": "https://plugins.trac.wordpress.org/changeset/2497610/"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24210",
"datePublished": "2021-04-05T18:27:47.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:21:18.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-14388 (GCVE-0-2025-14388)
Vulnerability from cvelistv5 – Published: 2025-12-23 09:20 – Updated: 2025-12-23 15:23
VLAI?
Title
PhastPress <= 3.7 - Unauthenticated Arbitrary File Read via Null Byte Injection
Summary
The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in `getExtensionForURL()` which operates on URL-decoded paths, and `appendNormalized()` which strips everything after a null byte before constructing the filesystem path. This makes it possible for unauthenticated attackers to read arbitrary files from the webroot, including wp-config.php, by appending a double URL-encoded null byte (%2500) followed by an allowed extension (.txt) to the file path.
Severity ?
9.8 (Critical)
CWE
- CWE-158 - Improper Neutralization of Null Byte or NUL Character
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| kiboit | PhastPress |
Affected:
* , ≤ 3.7
(semver)
|
Credits
Angus Girvan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14388",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-23T15:23:48.390593Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T15:23:55.604Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PhastPress",
"vendor": "kiboit",
"versions": [
{
"lessThanOrEqual": "3.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Angus Girvan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in `getExtensionForURL()` which operates on URL-decoded paths, and `appendNormalized()` which strips everything after a null byte before constructing the filesystem path. This makes it possible for unauthenticated attackers to read arbitrary files from the webroot, including wp-config.php, by appending a double URL-encoded null byte (%2500) followed by an allowed extension (.txt) to the file path."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-158",
"description": "CWE-158 Improper Neutralization of Null Byte or NUL Character",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-23T09:20:03.420Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eec9bbc0-5a68-4624-a672-bd6227d6fa45?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9641"
},
{
"url": "https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9608"
},
{
"url": "https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9570"
},
{
"url": "https://plugins.trac.wordpress.org/browser/phastpress/tags/3.6/sdk/phast.php#L9597"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3418139"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-11T19:39:08.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-12-22T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "PhastPress \u003c= 3.7 - Unauthenticated Arbitrary File Read via Null Byte Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14388",
"datePublished": "2025-12-23T09:20:03.420Z",
"dateReserved": "2025-12-09T20:27:24.165Z",
"dateUpdated": "2025-12-23T15:23:55.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-24210 (GCVE-0-2021-24210)
Vulnerability from cvelistv5 – Published: 2021-04-05 18:27 – Updated: 2024-08-03 19:21
VLAI?
Title
PhastPress < 1.111 - Open Redirect
Summary
There is an open redirect in the PhastPress WordPress plugin before 1.111 that allows an attacker to malform a request to a page with the plugin and then redirect the victim to a malicious page. There is also a support comment from another user one year ago (https://wordpress.org/support/topic/phast-php-used-for-remote-fetch/) that says that the php involved in the request only go to whitelisted pages but it's possible to redirect the victim to any domain.
Severity ?
No CVSS data available.
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | PhastPress |
Affected:
1.111 , < 1.111
(custom)
|
Credits
Felipe Restrepo Rodriguez
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:21:18.865Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/9b3c5412-8699-49e8-b60c-20d2085857fb"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2497610/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PhastPress",
"vendor": "Unknown",
"versions": [
{
"lessThan": "1.111",
"status": "affected",
"version": "1.111",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Felipe Restrepo Rodriguez"
}
],
"descriptions": [
{
"lang": "en",
"value": "There is an open redirect in the PhastPress WordPress plugin before 1.111 that allows an attacker to malform a request to a page with the plugin and then redirect the victim to a malicious page. There is also a support comment from another user one year ago (https://wordpress.org/support/topic/phast-php-used-for-remote-fetch/) that says that the php involved in the request only go to whitelisted pages but it\u0027s possible to redirect the victim to any domain."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-05T18:27:47.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/9b3c5412-8699-49e8-b60c-20d2085857fb"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://plugins.trac.wordpress.org/changeset/2497610/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "PhastPress \u003c 1.111 - Open Redirect",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24210",
"STATE": "PUBLIC",
"TITLE": "PhastPress \u003c 1.111 - Open Redirect"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PhastPress",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.111",
"version_value": "1.111"
}
]
}
}
]
},
"vendor_name": "Unknown"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Felipe Restrepo Rodriguez"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "There is an open redirect in the PhastPress WordPress plugin before 1.111 that allows an attacker to malform a request to a page with the plugin and then redirect the victim to a malicious page. There is also a support comment from another user one year ago (https://wordpress.org/support/topic/phast-php-used-for-remote-fetch/) that says that the php involved in the request only go to whitelisted pages but it\u0027s possible to redirect the victim to any domain."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/9b3c5412-8699-49e8-b60c-20d2085857fb",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/9b3c5412-8699-49e8-b60c-20d2085857fb"
},
{
"name": "https://plugins.trac.wordpress.org/changeset/2497610/",
"refsource": "MISC",
"url": "https://plugins.trac.wordpress.org/changeset/2497610/"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24210",
"datePublished": "2021-04-05T18:27:47.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:21:18.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}