CVE-2025-11379

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions WebP Express versions prior to 0.25.9

Description The WebP Express plugin for WordPress is susceptible to information disclosure through improperly randomized config file names when used with NGINX. This allows unauthenticated attackers to extract configuration data. The plugin does not properly randomize the name of the config file, enabling direct access.

Recommendations Update the WebP Express plugin to a version newer than 0.25.9.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2025-11379

Affected Products

Webp-Express

CVE-2025-11379

Weakness Enumeration

Related Identifiers

Affected Products

References · 8