CVE-2025-6379: 
WordPress vulnerability analysis and mitigation

The BeeTeam368 Extensions Pro plugin for WordPress contains a Directory Traversal vulnerability (CVE-2025-6379) discovered in June 2025. This security flaw affects all versions up to and including 2.3.4, allowing authenticated users with Subscriber-level access or higher to manipulate file paths and perform unauthorized actions outside the intended directory (NVD CVE, Wiz Intel).

The vulnerability exists in the handle_live_fn() function of the plugin, which fails to properly validate file paths. It has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD CVE, Wordfence Intel).

The vulnerability enables attackers to delete critical files, specifically the wp-config.php file, which can lead to a complete site takeover. The high CVSS score reflects the severe potential impact on the confidentiality, integrity, and availability of the affected systems (NVD CVE).

Website administrators running BeeTeam368 Extensions Pro should immediately update their installations to a version newer than 2.3.4 when available. Until a patch is released, it is recommended to review and potentially restrict user roles and permissions to minimize the risk of exploitation (NVD CVE).