CVE-2025-4419: 
WordPress vulnerability analysis and mitigation

The Hot Random Image plugin for WordPress contains a Path Traversal vulnerability (CVE-2025-4419) discovered and disclosed on May 21, 2025. The vulnerability affects all versions up to and including 1.9.2 and impacts WordPress installations with the Hot Random Image plugin installed. This security issue allows authenticated attackers with Contributor-level access or higher to access arbitrary images with allowed extensions outside of the originally intended directory via the 'path' parameter (NVD, Wiz).

The vulnerability is classified as a Path Traversal (CWE-22) issue with a CVSS v3.1 Base Score of 4.3 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The security flaw exists in the plugin's handling of the 'path' parameter, which fails to properly validate and restrict directory access (NVD).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to access arbitrary images with allowed extensions outside of the originally intended directory. This could potentially lead to unauthorized access to sensitive image files stored in other directories on the server (Wiz).

A fix has been released in version 1.9.3 of the Hot Random Image plugin. The update implements proper path validation by checking if the provided path is within the WordPress installation directory using realpath() and ABSPATH comparisons. Users are advised to update to version 1.9.3 or later to protect against this vulnerability (WordPress Plugin).