CVE-2025-31827: 
WordPress vulnerability analysis and mitigation

CVE-2025-31827 is a Path Traversal vulnerability discovered in the WordPress plugin Fonto developed by vlad.olaru. The vulnerability affects all versions of Fonto through version 1.2.2. This security issue was disclosed on April 3, 2025, and has been assigned a CVSS v3.1 base score of 4.9 (MEDIUM) (NVD, Patchstack).

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and allows for arbitrary file download functionality. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, indicating that the vulnerability requires high privileges to exploit, can be accessed over the network, and has a high impact on confidentiality while not affecting integrity or availability (NVD).

If exploited, this vulnerability could allow a malicious actor with appropriate privileges to download any file from the affected website, including sensitive files containing login credentials or backup files (Patchstack).

Currently, there is no official fix available from the vendor. However, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available (Patchstack).