CVE Alert: CVE-2025-8422 – fassionstorage – Propovoice: All-in-One Client Management System
CVE-2025-8422
The Propovoice: All-in-One Client Management System plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.7.6.7 via the send_email() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
AI Summary Analysis
Risk verdict
High risk due to unauthenticated arbitrary file read via the vulnerable plugin, enabling potential exposure of sensitive server data.
Why this matters
Independent of user interaction, an attacker can read arbitrary files on the hosting server, including configuration, credentials, or secrets. In WordPress environments, this can facilitate further compromise, data leakage, or credential theft for adjacent services.
Most likely attack path
Network-based access (no authentication, no user interaction) against an exposed WordPress site with the vulnerable plugin enabled. An attacker sends crafted requests to the plugin’s endpoints to trigger file reads; success relies on the server’s file-system permissions being exploitable. Because the vulnerability is limited to read access and CVSS scope is unchanged, collateral impact is primarily data exposure on the compromised host rather than broad lateral movement.
Who is most exposed
Sites hosting Propovoice within WordPress, particularly internet-facing deployments on shared or public cloud hosts, or agencies/SMBs using the plugin for client management. Organisations with weak access controls or delayed patching are at highest risk.
Detection ideas
- Unusual, unauthenticated requests targeting plugin endpoints, especially those resembling file-path traversal patterns.
- Unexpected responses containing server file contents or error messages revealing path or file structure.
- Log spikes from the plugin’s API during off-peak hours or from IPs not associated with normal admin activity.
- Anomalies in access logs when requesting known sensitive files (e.g., config-like paths).
Mitigation and prioritisation
- Apply vendor patch or upgrade plugin to a fixed version; verify in staging before production.
- If patching immediately isn’t possible, disable the plugin or restrict unauthenticated access to its endpoints; implement WAF rules to block path traversal patterns.
- Enable strict access controls and monitor for anomalous reads or export attempts.
- Conduct an impact assessment and rotate any credentials potentially exposed by the plugin.
- Schedule patching as soon as feasible; if feasible, treat as high-priority remediation window.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
