CVE-2025-11379 in WebP Express Plugin
Summary
by MITRE • 12/04/2025
The WebP Express plugin for WordPress is vulnerable to information exposure via config files in all versions up to, and including, 0.25.9. This is due to the plugin not properly randomizing the name of the config file to prevent direct access on NGINX. This makes it possible for unauthenticated attackers to extract configuration data.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 12/07/2025
The vulnerability identified as CVE-2025-11379 affects the WebP Express plugin for WordPress, a widely used tool for implementing webp image format optimization on wordpress websites. This plugin allows website administrators to automatically convert images to webp format for improved performance and reduced bandwidth usage. The vulnerability stems from improper configuration file handling within the plugin's architecture, specifically in how it manages the naming convention of its configuration files. All versions of the plugin up to and including 0.25.9 are affected by this issue, making it a significant concern for WordPress website owners who have implemented this optimization tool.
The technical flaw lies in the plugin's failure to properly randomize or obscure the configuration file names during the installation or runtime process. This weakness creates predictable file paths that can be accessed directly through web requests, particularly on NGINX web servers where the plugin's default configuration does not adequately protect these sensitive files. The lack of proper randomization means that attackers can easily guess or enumerate the configuration file names, allowing them to bypass authentication mechanisms entirely. This issue represents a classic case of insecure direct object reference vulnerability where predictable file names expose internal system configuration details to unauthorized users.
The operational impact of this vulnerability is substantial as it provides unauthenticated attackers with access to sensitive configuration data that may include database connection credentials, API keys, plugin settings, and other system parameters that could be leveraged for further attacks. The exposure of such information could enable attackers to escalate their privileges, gain deeper access to the WordPress installation, or even compromise the entire hosting environment. This vulnerability directly aligns with CWE-200, which describes improper exposure of sensitive information, and can be categorized under ATT&CK technique T1528, where adversaries attempt to access credentials stored in configuration files or databases. The risk is particularly elevated for WordPress installations that rely heavily on the WebP Express plugin for image optimization, as these sites become potential entry points for attackers seeking to exploit the exposed configuration data.
Security mitigations for this vulnerability include immediate upgrading to the latest version of the WebP Express plugin where the issue has been addressed through proper randomization of configuration file names and implementation of appropriate access controls. Website administrators should also implement additional security measures such as restricting access to configuration files through web server configuration, using .htaccess rules to block direct access to sensitive file types, and implementing proper file permissions that prevent unauthorized access to plugin configuration files. Organizations should conduct regular security audits of their WordPress installations to identify and remediate similar vulnerabilities, while also monitoring for any unauthorized access attempts to sensitive files. The fix implemented in newer versions typically involves generating random file names for configuration files and ensuring that these files are properly protected through server-level access controls to prevent direct web access.