{"id":"CVE-2025-0859","details":"The Post and Page Builder by BoldGrid – Visual Drag and Drop Editor plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.27.6 via the template_via_url() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.","modified":"2026-04-10T05:20:21.501134Z","published":"2025-02-06T10:15:08.340Z","references":[{"type":"WEB","url":"https://wordpress.org/plugins/post-and-page-builder/#developers"},{"type":"ADVISORY","url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/111a1e7f-bc87-4130-a0b2-422d0f98afb6?source=cve"},{"type":"FIX","url":"https://github.com/BoldGrid/post-and-page-builder/pull/638/commits/10e4d1d96fd2735379049259d15896fa6dd35471"},{"type":"FIX","url":"https://plugins.trac.wordpress.org/browser/post-and-page-builder/trunk/includes/class-boldgrid-editor-preview.php#L178"},{"type":"FIX","url":"https://plugins.trac.wordpress.org/changeset?old=3234175&old_path=post-and-page-builder%2Ftags%2F1.27.7%2Fincludes%2Fclass-boldgrid-editor-preview.php&new=3234175&new_path=post-and-page-builder%2Ftags%2F1.27.7%2Fincludes%2Fclass-boldgrid-editor-preview.php"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/BoldGrid/post-and-page-builder","events":[{"introduced":"0"},{"fixed":"f48b71fb1cf128e58d2c09967b323f872487e3a4"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.27.7"}]}}],"versions":["1.0.8","1.0.9","1.1","1.1.1","1.1.1.1","1.1.1.2","1.1.2","1.1.3","1.10.0","1.10.0-rc.1","1.10.1","1.10.2","1.10.3","1.10.4","1.10.5","1.10.6","1.11.0","1.11.0-rc.1","1.11.1","1.11.2","1.12.0","1.12.1","1.12.2","1.13.0","1.13.1","1.13.2","1.13.3","1.13.3-rc.1","1.13.4","1.13.5","1.13.5-rc.1","1.13.6","1.14.0","1.14.1","1.14.2","1.15.0","1.15.1","1.15.2","1.16.0","1.17.0","1.18.0","1.2.13","1.2.6","1.2.7","1.2.8","1.2.9","1.21.2","1.21.3","1.22.1","1.22.1-rc1","1.22.2","1.23.0","1.23.1","1.23.2","1.24.0","1.24.2","1.25.0","1.25.1","1.26.0","1.26.1","1.26.2","1.26.3","1.26.4","1.26.5","1.26.6","1.26.7","1.27.0","1.27.1","1.27.2","1.27.3","1.27.4","1.27.5","1.27.6","1.3.1","1.3.2","1.3.3","1.3.4","1.3.5","1.4","1.4.1","1.4.2","1.4.3","1.4.4","1.4.6","1.4.7","1.4.8","1.5.1","1.5.2","1.6","1.6.1","1.7.0","1.7.0-alpha.1","1.7.0-alpha.2","1.7.0-rc.1","1.7.0-rc.2","1.7.0-rc.3","1.7.0-rc.4","1.7.0-rc.5","1.7.1","1.8.0","1.8.0-alpha.1","1.8.0-alpha.3","1.8.0-rc.1","1.8.0-rc.2","1.8.0-rc.3","1.8.0-rc.4","1.8.0-rc.5","1.9.0","1.9.0-rc.1","1.9.0-rc.2","1.9.0-rc.3","uability-testing"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-0859.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}