CVE-2025-28980: 
WordPress vulnerability analysis and mitigation

A Path Traversal vulnerability (CVE-2025-28980) was discovered in the WordPress Aviation Weather from NOAA plugin versions up to 0.7.2. The vulnerability was reported on June 30, 2025, and allows arbitrary file deletion on affected WordPress installations (Patchstack).

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and has received a CVSS v3.1 score of 7.7 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H. The vulnerability requires subscriber-level privileges to exploit (Patchstack).

If exploited, this vulnerability could allow an attacker to delete files from the affected website. The deletion of core files could potentially cause the site to break and stop functioning. The high CVSS score indicates this vulnerability is considered highly dangerous and is expected to become mass exploited (Patchstack).

No official fix is currently available for this vulnerability. The recommended mitigation steps include either removing and replacing the software with an alternative solution, or implementing virtual patching through security solutions like Patchstack that can block attacks until an official fix becomes available (Patchstack).