CVE-2025-8009: 
WordPress vulnerability analysis and mitigation

The Security Ninja – WordPress Security Plugin & Firewall plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 5.242. This vulnerability was discovered and disclosed on July 24, 2025, and is tracked as CVE-2025-8009. The vulnerability affects the plugin's 'getfilesource' function and impacts WordPress installations with the Security Ninja plugin installed (NVD).

The vulnerability exists in the 'getfilesource' function of the Security Ninja plugin. It allows authenticated attackers with Administrator-level access or above to extract sensitive data, including the contents of any file on the server. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.9 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. The weakness has been classified as CWE-36 (Absolute Path Traversal) (NVD, Wordfence).

The vulnerability allows authenticated administrators to read any file on the server, potentially exposing sensitive information and configurations. This could lead to the disclosure of critical system data and compromise the security of the WordPress installation (NVD).

The vulnerability has been patched in version 5.243 of the Security Ninja plugin. The update includes enhanced file path validation to prevent directory traversal attacks and implements a centralized security system with dual validation (hash + nonce) for all file access. Users are advised to update to version 5.243 or later immediately (WordPress Plugin).