CVE-2025-4419: 
WordPress vulnerability analysis and mitigation

The Hot Random Image plugin for WordPress contains a Path Traversal vulnerability (CVE-2025-4419) affecting all versions up to and including 1.9.2. The vulnerability was discovered and disclosed on May 21, 2025, and affects the plugin's handling of the 'path' parameter. This security issue impacts WordPress installations that have the Hot Random Image plugin installed (NVD, Wordfence).

The vulnerability is classified as a Path Traversal (CWE-22) issue with a CVSS v3.1 Base Score of 4.3 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The security flaw exists in the plugin's handling of the 'path' parameter, which fails to properly validate and restrict directory access (NVD).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to access arbitrary images with allowed extensions outside of the originally intended directory. This could potentially lead to unauthorized access to sensitive image files stored in other directories on the server (NVD).

A fix has been released in version 1.9.3 of the Hot Random Image plugin. The update implements proper path validation by checking if the provided path is within the WordPress installation directory using realpath() and ABSPATH comparisons (WordPress Plugin). Users are advised to update to version 1.9.3 or later to protect against this vulnerability.