CVE-2025-47603: 
WordPress vulnerability analysis and mitigation

A Path Traversal vulnerability (CVE-2025-47603) was discovered in Belingo belingoGeo WordPress plugin affecting versions through 1.12.0. The vulnerability was reported by Nguyen Xuan Chien on April 7, 2025, and was publicly disclosed on May 9, 2025. This security flaw allows for improper limitation of pathname to restricted directories, affecting the belingoGeo plugin versions up to and including 1.12.0 (Wiz Security, NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The flaw is categorized as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). This unauthenticated vulnerability allows for arbitrary file download capabilities (Wiz Security, Patchstack).

The vulnerability enables malicious actors to download any file from the affected website, including sensitive files containing login credentials and backup files. Due to its high severity rating and unauthenticated nature, this vulnerability is expected to become mass exploited (Patchstack).

Currently, no official fix is available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement the mitigation immediately (Patchstack).