Security Alert Summary
The Gutenberg Thim Blocks – Page Builder, Gutenberg Blocks for the Block Editor plugin for WordPress contains an arbitrary file read vulnerability in versions up to and including 1.0.1. Authenticated users with Contributor-level access and above can supply a crafted iconSVG parameter used during server-side rendering of the thim-blocks/icon block to read files on the server, potentially exposing sensitive files such as wp-config.php.
CVE Details
- CVE ID: CVE-2025-13725
- Affected plugin / component: Gutenberg Thim Blocks – Page Builder, Gutenberg Blocks for the Block Editor (thim-blocks), server-side rendering of the
thim-blocks/iconblock - Affected versions: All versions up to and including 1.0.1
- Published: January 17, 2026 at 4:16:06 AM
- Last modified: January 17, 2026 at 4:16:06 AM
- CVSS v3.1: Base Score 6.5, MEDIUM — Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Authentication / privileges / user interaction: Authenticated attackers with Contributor-level access and above; Privileges Required: Low; User Interaction: None
- Primary impact: Confidentiality: High; Integrity: None; Availability: None
- CWE / weakness: CWE-22 (Path Traversal)
Technical Details
The vulnerability is an arbitrary file read caused by insufficient path validation in the server-side rendering of the thim-blocks/icon block. The block accepts an iconSVG parameter that is not properly validated or constrained, allowing an authenticated user with Contributor-level privileges (or higher) to reference files outside the intended directory. When the server-side rendering code processes this parameter, it can return the contents of arbitrary files on the server.
The CVE references the plugin’s IconBlockType.php implementation (server-side rendering paths) where the inadequate path checks occur. The vulnerable behavior enables reading sensitive files such as wp-config.php when a crafted iconSVG input points to such files.
How This Could Impact Your Website
In a realistic multi-user environment, an external contractor or a contributor account with the ability to add or edit blocks could exploit this issue to read files that contain configuration secrets. For example, a contributor could craft content that triggers the vulnerable rendering path to exfiltrate the site wp-config.php, which may contain database credentials and salts. A site owner and internal staff may not notice the access if the attacker operates via a legitimate contributor account.
Exposed configuration files or other sensitive files can lead to disclosure of internal user email addresses, database credentials, or API keys. That information increases the likelihood of targeted phishing or social engineering against site staff or administrators, and could facilitate further attacks elsewhere.
professional review If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (The CVE entry does not specify a fixed version.)
- Review and reduce unnecessary user roles — especially Contributor accounts — and apply the principle of least privilege.
- Enforce strong passwords and enable two-factor authentication for Editor and Administrator accounts.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual behavior, including unexpected file reads or changes in content rendering.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/thim-blocks/tags/1.0.1/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L92
- https://plugins.trac.wordpress.org/browser/thim-blocks/tags/1.0.1/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L97
- https://plugins.trac.wordpress.org/browser/thim-blocks/trunk/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L92
- https://plugins.trac.wordpress.org/browser/thim-blocks/trunk/inc/Gutenberg/Blocks/Icon/IconBlockType.php#L97
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3419638%40thim-blocks&new=3419638%40thim-blocks&sfp_email=&sfph_mail=
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3424998%40thim-blocks&new=3424998%40thim-blocks&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/80de464f-a4b0-4aaf-8869-f8d29a422bdb?source=cve