CVE-2025-13725

MEDIUM

Gutenberg Thim Blocks - Page Builder <1.0.1 - Info Disclosure

Title source: llm

Description

The Gutenberg Thim Blocks – Page Builder, Gutenberg Blocks for the Block Editor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 1.0.1. This is due to insufficient path validation in the server-side rendering of the thim-blocks/icon block. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server via the 'iconSVG' parameter, which can contain sensitive information such as wp-config.php.

References (7)

Core 7

Core References

Product

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3419638%40thim-blocks&new=3419638%40thim-blocks&sfp_email=&sfph_mail=

Product

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3424998%40thim-blocks&new=3424998%40thim-blocks&sfp_email=&sfph_mail=

Product

https://plugins.trac.wordpress.org/browser/thim-blocks/tags/1.0.1/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L92

Product

https://plugins.trac.wordpress.org/browser/thim-blocks/tags/1.0.1/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L97

Product

https://plugins.trac.wordpress.org/browser/thim-blocks/trunk/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L92

Product

https://plugins.trac.wordpress.org/browser/thim-blocks/trunk/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L97

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/80de464f-a4b0-4aaf-8869-f8d29a422bdb?source=cve

Scores

CVSS v3 6.5

EPSS 0.0036

EPSS Percentile 27.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (1)

thimpress/Thim Blocks < 1.0.1

Published Jan 17, 2026

Tracked Since Feb 18, 2026