CVE-2025-14388

Name of the Vulnerable Software and Affected Versions PhastPress versions prior to 3.8

Description The PhastPress plugin for WordPress is susceptible to Unauthenticated Arbitrary File Read due to a null byte injection issue. A discrepancy exists between how the extension validation in the getExtensionForURL() function, which operates on URL-decoded paths, and the appendNormalized() function handles file paths, stripping everything after a null byte. This allows unauthenticated attackers to read arbitrary files from the webroot, including wp-config.php, by appending a double URL-encoded null byte (%2500) followed by an allowed extension (.txt) to the file path.

Recommendations Update PhastPress to version 3.8 or later.