CVE-2025-3897: 
WordPress vulnerability analysis and mitigation

The EUCookieLaw plugin for WordPress contains an Arbitrary File Read vulnerability (CVE-2025-3897) discovered and disclosed on May 9, 2025. This vulnerability affects all versions up to and including 2.7.2, impacting WordPress installations with the EUCookieLaw plugin installed alongside a caching plugin such as W3 Total Cache (NVD, Wiz).

The vulnerability exists in the filegetcontents function implementation, allowing unauthenticated attackers to read arbitrary files on the server. The issue has been assigned a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD).

If exploited, this vulnerability allows unauthenticated attackers to read the contents of arbitrary files on the server, potentially exposing sensitive information. The vulnerability is particularly concerning as it can be exploited without authentication, though it requires the presence of a caching plugin (NVD).

A security update has been released in version 2.7.3 that addresses the unchecked file access vulnerability. The fix includes proper sanitization of file access operations. Users are advised to update to the latest version immediately (WordPress Plugin).