CVE-2025-13677

Name of the Vulnerable Software and Affected Versions WordPress Simple Download Counter plugin versions up to and including 2.2.2

Description The Simple Download Counter plugin for WordPress has a path traversal issue. Insufficient path validation in the simple download counter parse path() function allows authenticated attackers with Administrator-level access or higher to read arbitrary files on the server. These files may contain sensitive information, such as database credentials (wp-config.php) or system files. The vendor has disabled remote file downloads from arbitrary locations on multi-sites and provided a warning to site owners in the readme.txt file upon installation.

Recommendations Update to a version beyond 2.2.2.