CVE-2025-25162: 
WordPress vulnerability analysis and mitigation

The WordPress Sports Rankings and Lists plugin version 1.0.2 and earlier contains an Unauthenticated Arbitrary File Download vulnerability, identified as CVE-2025-25162. The vulnerability was discovered by researcher LVT-tholv2k and was publicly disclosed on February 2, 2025 (Patchstack, Wordfence).

The vulnerability has been assigned a CVSS score of 7.1, indicating a high severity level. The security issue is classified under the OWASP Top 10 category A3: Injection. The vulnerability can be exploited without requiring authentication, making it particularly dangerous (Patchstack).

This vulnerability could allow malicious actors to download any file from the affected website, including sensitive files containing login credentials or backup files. The high CVSS score indicates significant potential impact on affected systems (Patchstack).

Currently, no official fix is available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement immediate mitigation measures (Patchstack).