CVE-2025-11379
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-11379, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-04

Last updated on: 2026-04-08

Assigner: Wordfence

Description

The WebP Express plugin for WordPress is vulnerable to information exposure via config files in all versions up to, and including, 0.25.9. This is due to the plugin not properly randomizing the name of the config file to prevent direct access on NGINX. This makes it possible for unauthenticated attackers to extract configuration data.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-04
Last Modified
2026-04-08
Generated
2026-07-06
AI Q&A
2025-12-04
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
rosell.dk webp_express 0.25.9

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WebP Express plugin for WordPress has a vulnerability in versions up to 0.25.9 where it does not properly randomize the name of its configuration file. This allows unauthenticated attackers to directly access and extract configuration data from the plugin on NGINX servers.

Impact Analysis

This vulnerability can lead to information exposure by allowing attackers to access sensitive configuration data without authentication. This could potentially be used to gain insights into the system setup or aid in further attacks.

Mitigation Strategies

To mitigate this vulnerability, immediately update or remove the WebP Express plugin if it is installed, especially if using version 0.25.9 or earlier. Since the plugin was closed as of December 1, 2025, pending a full review, users should disable or uninstall it to prevent exposure of configuration files. Additionally, ensure proper server rules are enabled on NGINX to restrict direct access to config files, preventing unauthenticated attackers from extracting configuration data. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11379. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart