CVE-2025-23562: 
WordPress vulnerability analysis and mitigation

The XLSXviewer WordPress plugin (versions <= 2.1.1) contains a critical vulnerability identified as CVE-2025-23562. This vulnerability allows authenticated users with Subscriber-level access or higher to perform arbitrary file deletion on the server due to insufficient file path validation. The vulnerability was discovered by researcher Mika and publicly disclosed on January 16, 2025 (WPScan, Patchstack).

The vulnerability is classified as a Local File Inclusion (LFI) issue and falls under the OWASP Top 10 category A1: Injection. It has been assigned a CVSS score of 8.1 (high severity) due to its potential impact. The vulnerability stems from insufficient file path validation in the plugin's functionality, which allows authenticated users to delete arbitrary files on the server (WPScan).

The exploitation of this vulnerability could lead to the deletion of critical files on the server, including essential WordPress core files such as wp-config.php. This could result in website breakdown and potentially lead to remote code execution when specific files are targeted. The impact is particularly severe as it affects all versions of the plugin up to and including version 2.1.1 (Patchstack).

Currently, there is no official fix available for this vulnerability. Website administrators are advised to either remove the plugin or implement strict access controls to minimize the risk. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available (Patchstack).