CVE-2025-8484
BaseFortify
Publication date: 2025-10-11
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | code_quality_control_tool | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Code Quality Control Tool plugin for WordPress (version 0.1) allows unauthenticated attackers to access publicly exposed log files. These log files contain potentially sensitive information, which should not be accessible to the public. Because the logs are exposed without authentication, attackers can view sensitive data that may be contained within these error logs.
How can this vulnerability impact me? :
This vulnerability can impact you by exposing sensitive information through publicly accessible log files. Attackers can view error logs that may contain details about your WordPress environment, PHP errors, client IP addresses, request URLs, and other potentially sensitive data. This exposure can aid attackers in further exploiting your system or compromising your privacy and security.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can negatively affect compliance with standards like GDPR and HIPAA because it exposes potentially sensitive information without proper access controls. Unauthorized disclosure of personal or sensitive data through exposed logs may violate data protection requirements, leading to non-compliance with privacy regulations that mandate safeguarding sensitive information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of publicly accessible log files named '_php_errors.log' in the WordPress content directory. You can look for these files via web requests or by searching the server filesystem. Additionally, inspecting the contents of these log files for sensitive information exposure is important. Suggested commands include: 1) Using curl or wget to check if the log file is accessible over HTTP, e.g., `curl -I https://yourwordpresssite.com/wp-content/_php_errors.log` 2) Searching the server for the log file, e.g., `find /path/to/wordpress/wp-content/ -name '_php_errors.log'` 3) Viewing the log file contents with `cat` or `less` to check for sensitive data. Since the plugin logs PHP errors with client IP, error type, message, file, line number, and request URL, reviewing these logs can reveal if sensitive information is exposed. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the '_php_errors.log' file to prevent public exposure. This can be done by configuring web server rules (e.g., .htaccess for Apache or location blocks for Nginx) to deny access to these log files. Additionally, disabling the error logging feature in the plugin by setting the 'is_active' configuration to 0 in the '_php_code_control.ini' file will stop further logging. Reviewing and limiting IP filtering and file filtering settings can also reduce exposure. Finally, ensure that the WordPress content directory and its files have proper permissions to prevent unauthorized access. [2]