A critical unauthenticated path traversal flaw in the WordPress Ad Manager WD plugin (v1.0.11) lets remote attackers download arbitrary server files, including wp-config.php, via a crafted CSV export request.
What Is It
CVE-2019-25727 is an arbitrary file download vulnerability (CWE-22, path traversal) in the WordPress Ad Manager WD plugin version 1.0.11. The flaw lives in the edit.php endpoint: when a GET request includes export=export_csv alongside a manipulated path parameter, the plugin returns the contents of the referenced file without authenticating the caller or validating the path. No credentials, user interaction, or prior access are required to trigger it.
Per the NVD record, the issue carries a CVSS v3.1 base score of 9.8 (Critical) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, and a CVSS v4.0 score of 9.3 (Critical). Confidentiality, integrity, and availability impacts are all rated High.
Why It Matters
Any file readable by the web server process is exposed to unauthenticated attackers on the public internet. The advisory specifically calls out wp-config.php as a retrievable target; that file holds WordPress database credentials, authentication keys, and salts. Pulling it down typically yields a direct path to full database compromise, session forgery, and administrative takeover of the affected WordPress site. A public proof-of-concept exists on Exploit-DB (entry 46252), lowering the skill bar for opportunistic attackers scanning for vulnerable installs.
This CVE is not currently listed in CISA's KEV catalog, so confirmed in-the-wild exploitation has not been attested by CISA at the time of writing. Treat it as high-risk on exposure and PoC availability alone.
What's Vulnerable
- Product: WordPress Plugin "Ad Manager WD" by Web-Dorado
- Affected version: 1.0.11
- Vulnerable endpoint:
edit.phpwithexport=export_csvand attacker-controlledpathparameter - Weakness class: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory)
NVD does not enumerate affected CPEs beyond the description; operators should assume any WordPress site running Ad Manager WD 1.0.11 is exposed.
Patch Status
The supplied NVD record does not name a fixed version or vendor patch advisory. The NVD entry is in "Deferred" status. Recommended interim action: remove or disable the Ad Manager WD plugin on affected WordPress installations, block public access to edit.php for the plugin, and rotate wp-config.php secrets (DB credentials, auth keys, salts) if exposure is suspected.