CVE-2025-31003: 
WordPress vulnerability analysis and mitigation

The Squeeze WordPress plugin version 1.6 and earlier contains a Full Path Disclosure (FPD) vulnerability, identified as CVE-2025-31003. This security issue was discovered by researcher astra.r3verii and publicly disclosed on April 9, 2025. The vulnerability affects the Bogdan Bendziukov Squeeze plugin, allowing unauthorized access to sensitive system information (Patchstack).

The vulnerability is classified as an Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497). It has been assigned a CVSS v3.1 score of 2.7 (Low) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N. This indicates that the vulnerability requires high privileges to exploit, has network access vector, and only impacts confidentiality with low severity (NVD, Patchstack).

The vulnerability could allow a malicious actor to discover the full path of folders or files within the system. This information disclosure could potentially be leveraged to exploit other weaknesses in the system, though the specific impact varies case by case. The overall severity is considered low due to the limited scope of the information disclosure (Patchstack).

The vulnerability has been fixed in version 1.6.1 of the Squeeze plugin. Users are advised to update to version 1.6.1 or later to remediate this security issue. Patchstack users have the additional option to enable auto-updates for vulnerable plugins (Patchstack).