CVE-2025-11379
BaseFortify
Publication date: 2025-12-04
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rosell.dk | webp_express | 0.25.9 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The WebP Express plugin for WordPress has a vulnerability in versions up to 0.25.9 where it does not properly randomize the name of its configuration file. This allows unauthenticated attackers to directly access and extract configuration data from the plugin on NGINX servers.
How can this vulnerability impact me? :
This vulnerability can lead to information exposure by allowing attackers to access sensitive configuration data without authentication. This could potentially be used to gain insights into the system setup or aid in further attacks.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update or remove the WebP Express plugin if it is installed, especially if using version 0.25.9 or earlier. Since the plugin was closed as of December 1, 2025, pending a full review, users should disable or uninstall it to prevent exposure of configuration files. Additionally, ensure proper server rules are enabled on NGINX to restrict direct access to config files, preventing unauthenticated attackers from extracting configuration data. [1]