CVE-2025-4419

Name of the Vulnerable Software and Affected Versions Hot Random Image plugin for WordPress versions up to, and including, 1.9.2

Description The issue allows authenticated attackers with Contributor-level access and above to access arbitrary images with allowed extensions outside of the originally intended directory. This is achieved via the path parameter.

Recommendations For Hot Random Image plugin for WordPress versions up to, and including, 1.9.2, avoid using the path parameter in the affected API endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the plugin's image handling functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.