Vulnerability-Lookup

CNVD-2026-06909

Vulnerability from cnvd - Published: 2026-01-23

Title

WordPress Gotham Block Extra Light plugin路径遍历漏洞

Description

WordPress Gotham Block Extra Light plugin是一个用于检测访客浏览器是否启用了广告拦截软件（如AdBlock）的工具。 WordPress Gotham Block Extra Light plugin存在路径遍历漏洞，该漏洞源于ghostban短代码处理不当，攻击者可利用该漏洞导致任意文件读取。

Severity

中

Formal description

目前厂商尚未发布升级程序修复该安全问题，详情见厂商官网： https://wordpress.org/

Reference

https://plugins.trac.wordpress.org/browser/gotham-block-extra-light/trunk/premium/ghostban.php?marks=56#L56

Impacted products

Name
WordPress Gotham Block Extra Light plugin <=1.5.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-15020",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-15020"
    }
  },
  "description": "WordPress Gotham Block Extra Light plugin\u662f\u4e00\u4e2a\u7528\u4e8e\u68c0\u6d4b\u8bbf\u5ba2\u6d4f\u89c8\u5668\u662f\u5426\u542f\u7528\u4e86\u5e7f\u544a\u62e6\u622a\u8f6f\u4ef6\uff08\u5982AdBlock\uff09\u7684\u5de5\u5177\u3002\n\nWordPress Gotham Block Extra Light plugin\u5b58\u5728\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eghostban\u77ed\u4ee3\u7801\u5904\u7406\u4e0d\u5f53\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5c1a\u672a\u53d1\u5e03\u5347\u7ea7\u7a0b\u5e8f\u4fee\u590d\u8be5\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u89c1\u5382\u5546\u5b98\u7f51\uff1a\r\nhttps://wordpress.org/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2026-06909",
  "openTime": "2026-01-23",
  "products": {
    "product": "WordPress Gotham Block Extra Light plugin \u003c=1.5.0"
  },
  "referenceLink": "https://plugins.trac.wordpress.org/browser/gotham-block-extra-light/trunk/premium/ghostban.php?marks=56#L56",
  "serverity": "\u4e2d",
  "submitTime": "2026-01-19",
  "title": "WordPress Gotham Block Extra Light plugin\u8def\u5f84\u904d\u5386\u6f0f\u6d1e"
}

CVE-2025-15020 (GCVE-0-2025-15020)

Vulnerability from cvelistv5 – Published: 2026-01-14 05:28 – Updated: 2026-01-14 19:16

Title

Gotham Block Extra Light <= 1.5.0 - Authenticated (Contributor+) Arbitrary File Read via 'ghostban' Shortcode

Summary

The Gotham Block Extra Light plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.5.0 via the 'ghostban' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

Wordfence

References

URL

Tags

	https://www.wordfence.com/threat-intel/vulnerabil…
	https://plugins.trac.wordpress.org/browser/gotham…

Impacted products

	Vendor	Product	Version
	gothamdev	Gotham Block Extra Light	Affected: * , ≤ 1.5.0 (semver)

Credits

Bhumividh Treloges

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-15020",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-14T15:44:08.503943Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-14T19:16:35.219Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Gotham Block Extra Light",
          "vendor": "gothamdev",
          "versions": [
            {
              "lessThanOrEqual": "1.5.0",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Bhumividh Treloges"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Gotham Block Extra Light plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.5.0 via the  \u0027ghostban\u0027 shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-14T05:28:10.798Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b194b241-d8f4-430c-b00c-d84190026bad?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/gotham-block-extra-light/trunk/premium/ghostban.php?marks=56#L56"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-12-19T00:00:00.000+00:00",
          "value": "Discovered"
        },
        {
          "lang": "en",
          "time": "2026-01-13T17:17:11.000+00:00",
          "value": "Disclosed"
        }
      ],
      "title": "Gotham Block Extra Light \u003c= 1.5.0 - Authenticated (Contributor+) Arbitrary File Read via \u0027ghostban\u0027 Shortcode"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-15020",
    "datePublished": "2026-01-14T05:28:10.798Z",
    "dateReserved": "2025-12-22T04:47:03.843Z",
    "dateUpdated": "2026-01-14T19:16:35.219Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2026-06909

CVE-2025-15020 (GCVE-0-2025-15020)

Tags

Sightings

Nomenclature