CVE-2025-0822

MEDIUM

Bitapps Bit Assist < 1.5.3 - Path Traversal

Title source: rule

Description

Bit Assist plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.2 via the fileID Parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

Exploits (1)

github WORKING POC 3 stars

by certuscyber · pythonpoc

https://github.com/certuscyber/cve-pocs/tree/main/CVE-2025-0822

View Code ZIP pw:eip

References (4)

[Product] https://plugins.trac.wordpress.org/browser/bit-assist/tags/1.5.2/backend/app/HTTP/Controllers/DownloadController.php#L65

[Patch] https://plugins.trac.wordpress.org/changeset/3239816/#file3

[Product, Release Notes] https://wordpress.org/plugins/bit-assist/#developers

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/de9b0eba-5d2b-427c-a199-88bf96c26f5e?source=cve

Scores

CVSS v3 6.5

EPSS 0.0009

EPSS Percentile 25.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-22 CWE-23

Status published

Products (2)

bitapps/bit_assist < 1.5.3

bitpressadmin/Chat Widget: Floating Customer Support Button for 30+ Channels, Supporting SMS, Calls, and Chat – Bit Assist < 1.5.2

Published Feb 15, 2025

Tracked Since Feb 18, 2026