CVE-2025-6722

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-6722
The BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.5 via the bitfire_* directory that automatically gets created and stores potentially sensitive files without any access restrictions. This makes it possible for unauthenticated attackers to extract sensitive data from various files like config.ini, debug.log, and more when directory listing is enabled on the server.

5.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3334399%40bitfire&new=3334399%40bitfire&sfp_email=&sfph_mail=
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3335461%40bitfire&new=3335461%40bitfire&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/72320980-733d-4fe6-9a13-39c476b77298?source=cve
Configurations

No configuration.

History

05 Aug 2025, 20:15

Type Values Removed Values Added
Summary (en) The BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.5 via the bitfire_* directory that automatically gets created and stores potentially sensitive files without any access restrictions. This makes it possible for unauthenticated attackers to extract sensitive data from various files like config.ini, debug.log, and more. (en) The BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.5 via the bitfire_* directory that automatically gets created and stores potentially sensitive files without any access restrictions. This makes it possible for unauthenticated attackers to extract sensitive data from various files like config.ini, debug.log, and more when directory listing is enabled on the server.

04 Aug 2025, 15:06

Type Values Removed Values Added
Summary
  • (es) El complemento BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security para WordPress es vulnerable a la Exposición de Información Sensible en todas las versiones hasta la 4.5 incluida, a través del directorio bitfire_*, que se crea automáticamente y almacena archivos potencialmente sensibles sin restricciones de acceso. Esto permite a atacantes no autenticados extraer información sensible de diversos archivos como config.ini, debug.log, etc.

02 Aug 2025, 10:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-08-02 10:15

Updated : 2025-08-05 20:15

NVD link : CVE-2025-6722

Mitre link : CVE-2025-6722

CVE.ORG link : CVE-2025-6722

JSON object : View

Products Affected

No product.

CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor