← volver
CVE-2025-6722

BitFire <= 4.5 - Unauthenticated Information Exposure

CVSS 5.3 MEDIUMEPSS 0.3%CWE-200
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 5.3EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
02 ago 2025Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
The BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.5 via the bitfire_* directory that automatically gets created and stores potentially sensitive files without any access restrictions. This makes it possible for unauthenticated attackers to extract sensitive data from various files like config.ini, debug.log, and more when directory listing is enabled on the server and the ~/wp-content/plugins/index.php file is missing or ignored.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N