CVE-2025-49237 in POEditor Plugininfo

Summary

by MITRE • 06/06/2025

Cross-Site Request Forgery (CSRF) vulnerability in POEditor POEditor allows Path Traversal. This issue affects POEditor: from n/a through 0.9.10.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 06/06/2025

The CVE-2025-49237 vulnerability represents a critical security flaw in the POEditor application that combines both cross-site request forgery and path traversal exploitation vectors. This vulnerability exists within the POEditor platform, a popular translation management system used by developers and localization teams worldwide. The flaw specifically affects versions ranging from n/a through 0.9.10, indicating that any installation within this range could be compromised. The combination of CSRF and path traversal elements creates a particularly dangerous attack surface that could enable unauthorized users to manipulate the application's behavior while simultaneously gaining access to unintended file system locations.

The technical implementation of this vulnerability stems from insufficient validation of user inputs and inadequate protection mechanisms against unauthorized requests. When a user interacts with the POEditor application, the system fails to properly verify the origin and authenticity of requests, allowing malicious actors to craft forged requests that appear legitimate to the application. This CSRF component enables attackers to perform actions on behalf of authenticated users without their knowledge or consent. Additionally, the path traversal aspect suggests that the application does not properly sanitize file paths or directory references, potentially allowing attackers to navigate through the file system beyond intended boundaries.

The operational impact of this vulnerability extends beyond simple data theft or modification, as it could enable full system compromise depending on the application's configuration and permissions. An attacker exploiting this vulnerability could potentially read sensitive files, modify configuration data, or even execute arbitrary code if the application has sufficient privileges. The path traversal component specifically targets file system access controls, potentially exposing database files, configuration files, or other sensitive data that should remain protected. This vulnerability particularly affects organizations using POEditor for managing application translations, as it could lead to unauthorized access to translation files that might contain sensitive information or system configuration details.

Organizations should immediately implement mitigations including input validation, CSRF token implementation, and proper file system access controls. The recommended approach involves deploying anti-CSRF tokens that are generated per session and validated for each request, ensuring that only legitimate user interactions can modify application state. Additionally, implementing proper path validation and sanitization mechanisms will prevent attackers from manipulating file system paths through malicious input. According to CWE guidelines, this vulnerability aligns with CWE-352 for CSRF and CWE-22 for path traversal, both of which are classified as high-risk issues in the Common Weakness Enumeration catalog. The ATT&CK framework would categorize this as a privilege escalation and persistence technique, as successful exploitation could enable attackers to maintain access and potentially expand their foothold within the system. Organizations should also consider implementing web application firewalls and monitoring for suspicious request patterns that could indicate exploitation attempts. Regular security audits and vulnerability assessments should be conducted to identify similar issues across the entire application stack, as the combination of these two vulnerabilities suggests potential architectural weaknesses that could affect other components.

Responsible

Patchstack

Reservation

06/04/2025

Disclosure

06/06/2025

Moderation

accepted

CPE

ready

EPSS

0.00166

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!