Skip to main content
CVE Vulnerability Database

CVE-2025-6379: Beeteam368 Vidmov Path Traversal Flaw

CVE-2025-6379 is a path traversal vulnerability in Beeteam368 Vidmov WordPress plugin allowing authenticated attackers to access files outside intended directories. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-6379 Overview

CVE-2025-6379 is a directory traversal vulnerability in the BeeTeam368 Extensions Pro plugin for WordPress. The flaw affects all versions up to and including 2.3.4 and resides in the handle_live_fn() function. Authenticated users with Subscriber-level access or higher can manipulate file paths to operate on files outside the plugin's intended directory. Attackers can delete the wp-config.php file, which triggers a WordPress reinstallation flow that allows an attacker-controlled database connection. This path leads directly to full site takeover. The vulnerability is tracked under CWE-22: Improper Limitation of a Pathname to a Restricted Directory.

Critical Impact

Authenticated Subscriber accounts can delete arbitrary files, including wp-config.php, leading to complete WordPress site takeover.

Affected Products

  • BeeTeam368 Extensions Pro plugin for WordPress, all versions through 2.3.4
  • WordPress sites bundled with the Vidmov theme that ship this plugin
  • Any WordPress installation where Subscriber-level registration is enabled and the plugin is active

Discovery Timeline

  • 2025-06-28 - CVE-2025-6379 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-6379

Vulnerability Analysis

The vulnerability resides in the handle_live_fn() function exposed by the BeeTeam368 Extensions Pro plugin. The function processes user-supplied input that references file paths but fails to sanitize directory traversal sequences such as ../. Authenticated requests can therefore reach files located outside the plugin's working directory.

Because the function is reachable by any authenticated user, the privilege barrier is low. WordPress sites that allow open user registration expose this endpoint to anyone on the internet. The attack vector is the network, complexity is low, and successful exploitation compromises confidentiality, integrity, and availability.

Root Cause

The root cause is missing pathname canonicalization in handle_live_fn(). The function trusts the supplied filename parameter and concatenates it into a filesystem operation without validating that the resolved path remains within an allowed directory. Standard mitigations such as realpath() checks, allow-listing, or stripping traversal characters are absent.

Attack Vector

An attacker first registers a Subscriber account on a vulnerable WordPress site. The attacker then submits a crafted request to the AJAX or REST endpoint that invokes handle_live_fn(), supplying a relative path traversal payload that targets wp-config.php in the WordPress root. The plugin deletes the targeted file. With wp-config.php removed, the next visit to the site triggers the WordPress setup wizard, allowing the attacker to point the installation at a database they control and bind an administrator account. Verified proof-of-concept code is not publicly available at this time. See the Wordfence Vulnerability Report for additional technical context.

Detection Methods for CVE-2025-6379

Indicators of Compromise

  • Absence or recent modification timestamp on wp-config.php in the WordPress installation root
  • HTTP POST requests to admin-ajax.php containing the handle_live_fn action and parameters with ../ sequences
  • Unexpected WordPress setup or installation screen served from a previously configured site
  • New administrator accounts created without a corresponding administrative session

Detection Strategies

  • Inspect web server access logs for requests whose body or query string contains URL-encoded traversal patterns such as %2e%2e%2f targeting plugin endpoints
  • Monitor filesystem audit logs for delete operations on wp-config.php or files outside wp-content/plugins/beeteam368-extensions-pro/
  • Correlate Subscriber-level authentication events with subsequent file deletion activity within a short time window

Monitoring Recommendations

  • Enable WordPress audit logging plugins that record file changes and user role modifications
  • Forward web server, PHP error, and filesystem events to a centralized SIEM for correlation
  • Alert on any sudden appearance of the WordPress installation wizard on production hosts

How to Mitigate CVE-2025-6379

Immediate Actions Required

  • Update the BeeTeam368 Extensions Pro plugin to a version later than 2.3.4 as soon as the vendor publishes a fix
  • Disable user registration on the WordPress site or restrict it to trusted email domains until patched
  • Audit existing Subscriber accounts and remove any that were not provisioned through expected workflows
  • Back up wp-config.php and the WordPress database to an out-of-band location

Patch Information

The vendor has not published an advisory URL in the NVD record at this time. Site operators should monitor the ThemeForest product page and the Wordfence Vulnerability Report for an updated plugin release that remediates handle_live_fn(). Apply the patched version to all affected sites once available.

Workarounds

  • Deactivate the BeeTeam368 Extensions Pro plugin until a fixed version is installed
  • Add a web application firewall rule that blocks requests containing ../ or %2e%2e to admin-ajax.php with the handle_live_fn action
  • Set restrictive filesystem permissions so that the web server user cannot delete wp-config.php, for example by changing ownership to a separate user and applying read-only permissions
bash
# Restrict permissions on wp-config.php to block deletion by the web user
sudo chown root:www-data /var/www/html/wp-config.php
sudo chmod 440 /var/www/html/wp-config.php
sudo chattr +i /var/www/html/wp-config.php

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.