CVE-2025-25130: 
WordPress vulnerability analysis and mitigation

A Relative Path Traversal vulnerability was discovered in the WordPress Delete Comments By Status plugin affecting versions through 2.1.1. The vulnerability was reported on January 21, 2025, and publicly disclosed on February 2, 2025. This security flaw allows for PHP Local File Inclusion in the plugin (Patchstack).

The vulnerability has been assigned CVE-2025-25130 and is classified as CWE-23 (Relative Path Traversal). It received a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating that it can be exploited remotely without requiring privileges but needs user interaction (NVD, Patchstack).

The vulnerability could allow malicious actors to include local files of the target website and display their contents. This could potentially lead to exposure of sensitive information, including database credentials, which might result in complete database compromise depending on the configuration (Patchstack).

Currently, no official fix is available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement these mitigations immediately (Patchstack).