CVE-2025-11379
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-04

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The WebP Express plugin for WordPress is vulnerable to information exposure via config files in all versions up to, and including, 0.25.9. This is due to the plugin not properly randomizing the name of the config file to prevent direct access on NGINX. This makes it possible for unauthenticated attackers to extract configuration data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-04
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2025-12-04
EPSS Evaluated
2026-06-14
NVD
CVE-2025-11379
EUVD
EUVD-2025-201141
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rosell.dk webp_express 0.25.9
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WebP Express plugin for WordPress has a vulnerability in versions up to 0.25.9 where it does not properly randomize the name of its configuration file. This allows unauthenticated attackers to directly access and extract configuration data from the plugin on NGINX servers.

Impact Analysis

This vulnerability can lead to information exposure by allowing attackers to access sensitive configuration data without authentication. This could potentially be used to gain insights into the system setup or aid in further attacks.

Mitigation Strategies

To mitigate this vulnerability, immediately update or remove the WebP Express plugin if it is installed, especially if using version 0.25.9 or earlier. Since the plugin was closed as of December 1, 2025, pending a full review, users should disable or uninstall it to prevent exposure of configuration files. Additionally, ensure proper server rules are enabled on NGINX to restrict direct access to config files, preventing unauthenticated attackers from extracting configuration data. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11379. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart