CVE-2025-32209: 
WordPress vulnerability analysis and mitigation

CVE-2025-32209 is a Path Traversal vulnerability discovered in Total Processing Card Payments for WooCommerce plugin affecting versions through 7.1.5. The vulnerability was disclosed on April 7, 2025, and allows authenticated users with subscriber-level access to perform arbitrary file downloads from the affected WordPress installations (Patchstack Database).

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and has received a CVSS v3.1 score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The issue allows path traversal attacks that can be initiated by authenticated users with subscriber-level privileges (NVD).

The vulnerability enables malicious actors to download any file from the affected website, including sensitive files containing login credentials or backup files. This could lead to unauthorized access to confidential information stored on the web server (Patchstack Database).

The vulnerability has been patched in version 7.1.6 of the Total Processing Card Payments for WooCommerce plugin. Users are strongly advised to update to this version or later immediately. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack Database).