CVE-2025-13681
Path Traversal in BFG Tools Zipper Plugin Allows Sensitive File Access
Publication date: 2026-02-14
Last updated on: 2026-02-14
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| the_bald_fat_guy | bfg_tools_extension_zipper | to 1.0.7 (inc) |
| the_bald_fat_guy | bfg_tools_extension_zipper | 1.0.8 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-13681 is a vulnerability in the WordPress plugin "BFG Tools β Extension Zipper" versions up to and including 1.0.7. The issue arises from insufficient input validation on the user-supplied `first_file` parameter in the `zip()` function. This flaw allows authenticated users with Administrator-level access or higher to perform a path traversal attack, enabling them to read arbitrary files and directories outside the intended `/wp-content/plugins/` directory.
Essentially, an attacker with admin privileges can exploit this vulnerability to access sensitive files on the server, such as the WordPress configuration file `wp-config.php`, by manipulating the input parameters used during ZIP archive creation.
How can this vulnerability impact me? :
This vulnerability can have significant security impacts because it allows an attacker with administrator privileges to read sensitive files outside the plugin directory. Such files may include configuration files like `wp-config.php` that contain database credentials and other sensitive information.
By exploiting this path traversal vulnerability, an attacker could gain access to confidential data, potentially leading to further compromise of the WordPress site or the underlying server environment.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability affects the BFG Tools β Extension Zipper WordPress plugin versions up to and including 1.0.7. Detection involves verifying if this plugin is installed and which version is running.'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires authenticated attackers with Administrator-level access, detection can include checking for suspicious ZIP creation requests or unexpected access to plugin ZIP archives.'}, {'type': 'paragraph', 'content': 'You can check the installed plugin version via WordPress admin or by running commands on the server to inspect the plugin files.'}, {'type': 'list_item', 'content': "Check the plugin version by inspecting the plugin header in the plugin file, e.g., run: grep -i 'Version' wp-content/plugins/bfg-tools-extension-zipper/bfg-tools-extension-zipper.php"}, {'type': 'list_item', 'content': "Look for suspicious ZIP creation activity in web server logs by searching for POST requests to the plugin's admin page or parameters like 'first_file' or 'zip_name'. For example: grep 'bfgtoexz-extension-zipper' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Monitor for unauthorized file reads or downloads outside the expected plugin ZIP directory, especially access to sensitive files like wp-config.php.'}, {'type': 'paragraph', 'content': 'Because the vulnerability requires administrator access and specific plugin parameters, detection is best combined with auditing admin actions and plugin usage.'}] [1, 2, 4]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation is to update the BFG Tools β Extension Zipper plugin to version 1.0.8 or later, where the vulnerability is fixed by enforcing strict input validation, sanitization, and path normalization.'}, {'type': 'paragraph', 'content': "If immediate update is not possible, restrict access to the plugin's admin pages to trusted administrators only and monitor for suspicious ZIP creation requests."}, {'type': 'list_item', 'content': 'Update the plugin to version 1.0.8 or later, which includes security fixes preventing path traversal and unauthorized file access.'}, {'type': 'list_item', 'content': "Ensure that only users with the 'manage_options' capability (typically administrators) have access to the plugin functionality."}, {'type': 'list_item', 'content': 'Verify that nonces are properly used and validated to prevent CSRF attacks on ZIP creation actions.'}, {'type': 'list_item', 'content': 'Audit and monitor logs for any unusual activity related to ZIP creation or file access through the plugin.'}, {'type': 'paragraph', 'content': "These steps help prevent exploitation by limiting access and ensuring the plugin's secure handling of ZIP creation requests."}] [1, 2, 4]