CVE-2025-8484
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-11

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The Code Quality Control Tool plugin for WordPress is vulnerable to Sensitive Information Exposure in version 2.1 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-11
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2025-10-11
EPSS Evaluated
2026-06-14
NVD
CVE-2025-8484
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress code_quality_control_tool *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the Code Quality Control Tool plugin for WordPress (version 0.1) allows unauthenticated attackers to access publicly exposed log files. These log files contain potentially sensitive information, which should not be accessible to the public. Because the logs are exposed without authentication, attackers can view sensitive data that may be contained within these error logs.

Impact Analysis

This vulnerability can impact you by exposing sensitive information through publicly accessible log files. Attackers can view error logs that may contain details about your WordPress environment, PHP errors, client IP addresses, request URLs, and other potentially sensitive data. This exposure can aid attackers in further exploiting your system or compromising your privacy and security.

Compliance Impact

This vulnerability can negatively affect compliance with standards like GDPR and HIPAA because it exposes potentially sensitive information without proper access controls. Unauthorized disclosure of personal or sensitive data through exposed logs may violate data protection requirements, leading to non-compliance with privacy regulations that mandate safeguarding sensitive information.

Detection Guidance

This vulnerability can be detected by checking for the presence of publicly accessible log files named '_php_errors.log' in the WordPress content directory. You can look for these files via web requests or by searching the server filesystem. Additionally, inspecting the contents of these log files for sensitive information exposure is important. Suggested commands include: 1) Using curl or wget to check if the log file is accessible over HTTP, e.g., `curl -I https://yourwordpresssite.com/wp-content/_php_errors.log` 2) Searching the server for the log file, e.g., `find /path/to/wordpress/wp-content/ -name '_php_errors.log'` 3) Viewing the log file contents with `cat` or `less` to check for sensitive data. Since the plugin logs PHP errors with client IP, error type, message, file, line number, and request URL, reviewing these logs can reveal if sensitive information is exposed. [2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the '_php_errors.log' file to prevent public exposure. This can be done by configuring web server rules (e.g., .htaccess for Apache or location blocks for Nginx) to deny access to these log files. Additionally, disabling the error logging feature in the plugin by setting the 'is_active' configuration to 0 in the '_php_code_control.ini' file will stop further logging. Reviewing and limiting IP filtering and file filtering settings can also reduce exposure. Finally, ensure that the WordPress content directory and its files have proper permissions to prevent unauthorized access. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-8484. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart