CVE-2025-8422

HIGH

Propovoice: All-in-One Client Management System <=1.7.6.7 - Arbitrary File Read

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-8422. PoCs published by RandomRobbieBF.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2025-8422, an unauthenticated arbitrary file read vulnerability in the Propovoice WordPress plugin. The exploit leverages a path traversal flaw in the send_email() function to read sensitive files via email attachments.

Description

The Propovoice: All-in-One Client Management System plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.7.6.7 via the send_email() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

Exploits (1)

nomisec WORKING POC
by RandomRobbieBF · poc
https://github.com/RandomRobbieBF/CVE-2025-8422

This repository contains a functional Python exploit for CVE-2025-8422, an unauthenticated arbitrary file read vulnerability in the Propovoice WordPress plugin. The exploit leverages a path traversal flaw in the send_email() function to read sensitive files via email attachments.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Propovoice WordPress plugin <= 1.7.6.7
No auth needed
Prerequisites: WordPress site with vulnerable Propovoice plugin installed · Valid email recipient to receive exfiltrated files
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 7.5
EPSS 0.0059
EPSS Percentile 43.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-73
Status published
Products (1)
fassionstorage/Propovoice: All-in-One Client Management System < 1.7.6.7
Published Sep 11, 2025
Tracked Since Feb 18, 2026