平台
wordpress
组件
webp-express
修复版本
0.25.10
CVE-2025-11379 affects the WebP Express plugin for WordPress, impacting versions from 0.0.0 through 0.25.9. This vulnerability allows unauthenticated attackers to expose configuration data through direct access to improperly secured configuration files. The issue stems from a lack of randomization in the config file name, making it predictable and accessible. A fix is available in version 0.25.11.
The primary impact of CVE-2025-11379 is the potential exposure of sensitive configuration data. This data could include API keys, database credentials, or other sensitive information used by the WebP Express plugin. An attacker gaining access to this information could leverage it to compromise the WordPress site, potentially leading to data breaches, unauthorized modifications, or complete site takeover. The lack of authentication required to exploit the vulnerability significantly broadens the attack surface, making it accessible to a wide range of attackers.
CVE-2025-11379 was published on December 4, 2025. Its severity is currently assessed as medium. No public proof-of-concept exploits have been identified as of this writing. The vulnerability is not currently listed on KEV or EPSS, suggesting a low probability of active exploitation. Refer to the official WordPress advisory for further details.
漏洞利用状态
EPSS
0.06% (19% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-11379 is to upgrade the WebP Express plugin to version 0.25.11 or later. If upgrading is not immediately feasible, consider implementing a web application firewall (WAF) rule to block direct access to the configuration file. Specifically, block requests targeting the predictable config file name. Additionally, review and restrict file permissions on the WordPress server to minimize the impact of a potential breach. After upgrading, verify the fix by attempting to directly access the configuration file via a web browser; access should be denied.
Update to version 0.25.11, or a newer patched version
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-11379 is a medium-severity vulnerability affecting WebP Express WordPress plugin versions 0.0.0–0.25.9. It allows unauthenticated attackers to extract configuration data due to improper file randomization.
Yes, if you are using WebP Express plugin versions 0.0.0 through 0.25.9, you are affected by this vulnerability. Upgrade to 0.25.11 or later to mitigate the risk.
Upgrade the WebP Express plugin to version 0.25.11 or later. As a temporary workaround, implement a WAF rule to block direct access to the configuration file.
As of December 4, 2025, there are no publicly known active exploitation campaigns targeting CVE-2025-11379.
Refer to the official WordPress advisory and the WebP Express plugin repository for the latest information and updates regarding CVE-2025-11379.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。