CVE-2025-22288 - How Path Traversal Vulnerability in WPMU DEV Smush Plugin Can Expose Your WordPress

Security researchers found a critical weakness in millions of WordPress websites using the popular Smush Image Compression and Optimization plugin, published by WPMU DEV. This flaw, logged officially as CVE-2025-22288, is a classic “path traversal” bug – a mistake that can allow attackers to snoop around every file in your website’s storage. If you manage or develop WordPress sites, you need to know what went wrong, where, and how to fix it fast.

What is Path Traversal, and Why is It Dangerous?

Path traversal is an old but very common web vulnerability. It happens when an app lets users control file paths without *properly* checking those paths, so someone can ask for .../...//config.php instead of just file.jpg. The result? Hackers can grab sensitive files, like your database config, private credentials, and more.

Where’s the Bug? Which Versions Are Affected?

The CVE-2025-22288 vulnerability exists in all Smush versions up to and including 3.17. (released before June 2024). Everyone running these versions is exposed.

The problematic code is found in the plugin’s file-handling functions. Let’s break it down.

Technical Deep Dive: What’s the Root Cause?

The plugin processes image files and lets admins optimize and manage them. Somewhere in the code (simplified here), user-supplied paths are concatenated without strict sanitization.

CODE SNIPPET (vulnerable logic)

$upload_dir = wp_upload_dir();
$image_path = $_GET['image']; // no sanitization!

$full_path = $upload_dir['basedir'] . '/' . $image_path;

if (file_exists($full_path)) {
    // Do something with the file
}

If an attacker calls

https://your-site/wp-admin/admin-ajax.php?action=smush_optimize&image=.../...//wp-config.php

They can force the plugin to open sensitive files *outside the safe uploads directory*.

`url

http(s)://target-site.com/wp-admin/admin-ajax.php?action=smush_optimize&image=.../...//wp-config.php

`sh

curl "https://target-site.com/wp-admin/admin-ajax.php?action=smush_optimize&image=.../...//wp-config.php"

Observe the Response:

- If the server returns the contents of wp-config.php, you now have the WordPress database login credentials.

*Note: The actual affected file and parameter may differ – always check the latest plugin source for exact details.*

### Why Does ‘.../...//’ Work?

Attackers use multiple dots, slashes, and even double/triple slashes to bypass mediocre “input filtering.” Some PHP functions treat those weird patterns as simple ../, tricking the app into navigating back up the file tree.

This bug lets attackers potentially

- Read wp-config.php (database/secret keys)

Recommendations: How to Stay Safe

- Update to Smush 3.17.1 or newer (see plugin changelog)
- Restrict access to /wp-admin/admin-ajax.php if possible

Use web server config to block dot-dot path traversal attempts

- Monitor your logs for suspicious requests like ....// or multiple dots/slashes

References & Further Reading

- Smush Image Compression and Optimization - WordPress Plugin
- CVE-2025-22288 at NVD (*pending official link*)
- OWASP: Path Traversal Cheat Sheet
- A lesson in input validation (PortSwigger)

Conclusion

CVE-2025-22288 is a dangerous path traversal vulnerability affecting one of the most widely used WordPress plugins for images. By just updating to the latest Smush version and reviewing your access policies, you can block this simple but highly risky exploit. Always validate, sanitize, and *never trust user input* in your web applications!


*Want to check your site? Use WP-CLI, audit your plugins, and stay subscribed to official plugin security updates. Your WordPress site’s security depends on it.*

Timeline

Published on: 11/06/2025 16:15:49 UTC
Last modified on: 11/13/2025 11:15:52 UTC