CVE-2025-13681
Unknown Unknown - Not Provided
Path Traversal in BFG Tools Zipper Plugin Allows Sensitive File Access

Publication date: 2026-02-14

Last updated on: 2026-02-14

Assigner: Wordfence

Description
The BFG Tools – Extension Zipper plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0.7. This is due to insufficient input validation on the user-supplied `first_file` parameter in the `zip()` function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files and directories outside the intended `/wp-content/plugins/` directory, which can contain sensitive information such as wp-config.php.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-14
Last Modified
2026-02-14
Generated
2026-06-16
AI Q&A
2026-02-14
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13681
EUVD
EUVD-2025-206977
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
the_bald_fat_guy bfg_tools_extension_zipper to 1.0.7 (inc)
the_bald_fat_guy bfg_tools_extension_zipper 1.0.8
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-13681 is a vulnerability in the WordPress plugin "BFG Tools – Extension Zipper" versions up to and including 1.0.7. The issue arises from insufficient input validation on the user-supplied `first_file` parameter in the `zip()` function. This flaw allows authenticated users with Administrator-level access or higher to perform a path traversal attack, enabling them to read arbitrary files and directories outside the intended `/wp-content/plugins/` directory.

Essentially, an attacker with admin privileges can exploit this vulnerability to access sensitive files on the server, such as the WordPress configuration file `wp-config.php`, by manipulating the input parameters used during ZIP archive creation.

Impact Analysis

This vulnerability can have significant security impacts because it allows an attacker with administrator privileges to read sensitive files outside the plugin directory. Such files may include configuration files like `wp-config.php` that contain database credentials and other sensitive information.

By exploiting this path traversal vulnerability, an attacker could gain access to confidential data, potentially leading to further compromise of the WordPress site or the underlying server environment.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability affects the BFG Tools – Extension Zipper WordPress plugin versions up to and including 1.0.7. Detection involves verifying if this plugin is installed and which version is running.'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires authenticated attackers with Administrator-level access, detection can include checking for suspicious ZIP creation requests or unexpected access to plugin ZIP archives.'}, {'type': 'paragraph', 'content': 'You can check the installed plugin version via WordPress admin or by running commands on the server to inspect the plugin files.'}, {'type': 'list_item', 'content': "Check the plugin version by inspecting the plugin header in the plugin file, e.g., run: grep -i 'Version' wp-content/plugins/bfg-tools-extension-zipper/bfg-tools-extension-zipper.php"}, {'type': 'list_item', 'content': "Look for suspicious ZIP creation activity in web server logs by searching for POST requests to the plugin's admin page or parameters like 'first_file' or 'zip_name'. For example: grep 'bfgtoexz-extension-zipper' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Monitor for unauthorized file reads or downloads outside the expected plugin ZIP directory, especially access to sensitive files like wp-config.php.'}, {'type': 'paragraph', 'content': 'Because the vulnerability requires administrator access and specific plugin parameters, detection is best combined with auditing admin actions and plugin usage.'}] [1, 2, 4]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation is to update the BFG Tools – Extension Zipper plugin to version 1.0.8 or later, where the vulnerability is fixed by enforcing strict input validation, sanitization, and path normalization.'}, {'type': 'paragraph', 'content': "If immediate update is not possible, restrict access to the plugin's admin pages to trusted administrators only and monitor for suspicious ZIP creation requests."}, {'type': 'list_item', 'content': 'Update the plugin to version 1.0.8 or later, which includes security fixes preventing path traversal and unauthorized file access.'}, {'type': 'list_item', 'content': "Ensure that only users with the 'manage_options' capability (typically administrators) have access to the plugin functionality."}, {'type': 'list_item', 'content': 'Verify that nonces are properly used and validated to prevent CSRF attacks on ZIP creation actions.'}, {'type': 'list_item', 'content': 'Audit and monitor logs for any unusual activity related to ZIP creation or file access through the plugin.'}, {'type': 'paragraph', 'content': "These steps help prevent exploitation by limiting access and ensuring the plugin's secure handling of ZIP creation requests."}] [1, 2, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13681. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart