cbcvebase.
CVE-2025-69411
published 2026-03-05

CVE-2025-69411: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Robert Seyfriedsberger ionCube tester plus ioncube-tester-plus…

PriorityP260high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
1.61%
72.9th percentile
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Robert Seyfriedsberger ionCube tester plus ioncube-tester-plus allows Path Traversal.This issue affects ionCube tester plus: from n/a through <= 1.3.

Affected

1 ranges
VendorProductVersion rangeFixed in
robert_seyfriedsbergerioncube_tester_plus<= 1.3

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/ioncube-tester-plus/loader-wizard.php
url{{BaseURL}}/wp-content/plugins/ioncube-tester-plus/loader-wizard.php?page=phpconfig&download=1&ininame=../../../../../../../../etc/passwd
  • Detect unauthenticated GET requests to loader-wizard.php with the 'ininame' parameter containing path traversal sequences (e.g., '../') targeting sensitive files such as /etc/passwd or wp-config.php.
  • Look for HTTP responses with Content-Type 'text/plain' and body matching the pattern 'root:.*:0:0:' when requests are made to loader-wizard.php with traversal payloads — this confirms successful exploitation.
  • Flag requests to loader-wizard.php that include query parameters page=phpconfig, download=1, and ininame values with directory traversal sequences as indicators of active exploitation attempts.
  • ·The vulnerability is unauthenticated — no session, cookie, or authentication token is required to exploit it, meaning any anonymous HTTP request can trigger the path traversal.
  • ·The exploit requires the ioncube-tester-plus WordPress plugin to be installed and at version <= 1.3; version detection via readme.txt (Stable tag field) can confirm exposure before attempting exploitation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.