High

Path Traversal in WordPress ioncube-tester-plus loader-wizard.php

IdentifiersCVE-2025-69411CWE-22· Improper Limitation of a Pathname…

CVE-2025-69411 is a path traversal vulnerability in the WordPress plugin ioncube-tester-plus affecting versions through 1.3. The issue is present in loader-wizard.php, where the application accepts user-controlled input via the ininame query parameter when page=phpconfig and download=1 are supplied. Based on the provided proof of concept, the parameter is not properly restricted to an intended directory or safe filename set, allowing directory traversal sequences such as ../../../../../../../../etc/passwd. A crafted HTTP GET request to /wp-content/plugins/ioncube-tester-plus/loader-wizard.php?page=phpconfig&download=1&ininame=../../../../../../../../etc/passwd returned HTTP 200 and the contents of /etc/passwd, demonstrating arbitrary local file read.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker to read arbitrary files from the underlying server filesystem with the privileges of the web application. This can expose sensitive operating system files, application configuration files, credentials, API keys, database connection details, WordPress configuration data, and other secrets useful for follow-on compromise. Depending on file permissions and deployment specifics, the issue may enable reconnaissance, credential harvesting, and chaining into broader compromise, though the provided evidence specifically demonstrates unauthorized local file disclosure rather than code execution.

Mitigation

If you can’t patch tonight, do this now.

Until a fix is deployed, disable or uninstall the ioncube-tester-plus plugin, or block direct access to /wp-content/plugins/ioncube-tester-plus/loader-wizard.php at the web server or WAF layer. Restrict access to the affected endpoint to trusted administrators only if operationally necessary. Monitor logs for requests containing page=phpconfig, download=1, or traversal patterns such as ../ in the ininame parameter. Harden filesystem permissions so the web server account cannot read unnecessary sensitive files.

Remediation

Patch, then assume compromise.

Update ioncube-tester-plus to a fixed version if one is available from the vendor. If no patched release is available, remove or disable the plugin. The vulnerable code path in loader-wizard.php should be corrected by eliminating direct use of user-supplied path input for file access, enforcing strict allowlisting of permitted filenames, canonicalizing paths, and rejecting traversal sequences and absolute paths. File download functionality should be limited to predefined safe resources only.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

nuclei templates pull requestsNews

Mar 23, 2026

Create CVE-2025-69411.yaml by pussycat0x · Pull Request #15659 · projectdiscovery/nuclei-templates · GitHub

An arbitrary file read / path traversal vulnerability in the WordPress plugin ioncube-tester-plus, where the loader-wizard.php endpoint can be abused via the ininame parameter to retrieve sensitive files such as /etc/passwd.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-69411

NVD

nvd.nist.gov/vuln/detail/CVE-2025-69411

MITRE CWE · CWE-22

Improper Limitation of a Pathname to a…

patchstack.com

patchstack.com/database/Wordpress/Plugin/ioncube-tester-plus/vulnerability/wordpress-ioncube-tester-plus-plugin-1-3-arbitrary-file-download-vulnerability?_s_id=cve