CVE-2025-52805: 
WordPress vulnerability analysis and mitigation

A Path Traversal vulnerability (CVE-2025-52805) was discovered in VaultDweller Leyka plugin versions through 3.31.9. The vulnerability was reported on May 11, 2025, by security researcher Nguyen Xuan Chien and publicly disclosed on July 1, 2025 (Patchstack).

The vulnerability is classified as a Local File Inclusion (LFI) issue with a CVSS v3.1 score of 7.5 (High). The attack vector is network-accessible (AV:N) with high attack complexity (AC:H), requires no privileges (PR:N), and needs user interaction (UI:R). The scope is unchanged (S:U) with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). The vulnerability is tracked as CWE-35 (Path Traversal: '.../...//') (Patchstack).

This Local File Inclusion vulnerability could allow an unauthenticated attacker to include and view local files from the target website. Particularly sensitive files containing credentials, such as database configuration files, could be exposed, potentially leading to complete database compromise depending on the server configuration (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. However, Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available. Website owners using the affected plugin versions are advised to implement mitigation measures immediately (Patchstack).