Description
The WebP Express plugin for WordPress is vulnerable to information exposure via config files in all versions up to, and including, 0.25.9. This is due to the plugin not properly randomizing the name of the config file to prevent direct access on NGINX. This makes it possible for unauthenticated attackers to extract configuration data.
Published: 2025-12-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Exposure
Action: Update Plugin
AI Analysis

Impact

The WebP Express plugin for WordPress is vulnerable because it fails to randomize the name of its configuration file, allowing direct file access on NGINX servers. This flaw permits unauthenticated users to retrieve the configuration file and read sensitive internal settings. The vulnerability falls under CWE-200, which concerns the inadvertent exposure of information.

Affected Systems

Any WordPress site using the roselldk WebP Express plugin up to and including version 0.25.9 is affected. Users operating older versions of the plugin without an upgrade present a potential attack surface.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is less than 1 % and the vulnerability is not listed in the CISA KEV catalog, suggesting a low probability of exploitation in the wild. Attackers could exploit the flaw remotely by issuing a standard HTTP request that targets the predictable configuration file name, gaining access to the file’s contents.

Generated by OpenCVE AI on April 21, 2026 at 01:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WebP Express plugin to version 0.26.0 or later from the WordPress.org repository or the vendor’s website.
  • If an immediate upgrade is not possible, deactivate or uninstall the plugin to remove the vulnerable component.
  • Configure the web server to deny or return a 403 response for requests to the plugin’s configuration file path, preventing direct access.

Generated by OpenCVE AI on April 21, 2026 at 01:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Thu, 04 Dec 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Roselldk
Roselldk webp Express
Wordpress
Wordpress wordpress
Vendors & Products Roselldk
Roselldk webp Express
Wordpress
Wordpress wordpress

Thu, 04 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Dec 2025 04:45:00 +0000

Type Values Removed Values Added
Description The WebP Express plugin for WordPress is vulnerable to information exposure via config files in all versions up to, and including, 0.25.9. This is due to the plugin not properly randomizing the name of the config file to prevent direct access on NGINX. This makes it possible for unauthenticated attackers to extract configuration data.
Title WebP Express <= 0.25.9 - Unauthenticated Information Exposure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Roselldk Webp Express
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:20:09.176Z

Reserved: 2025-10-06T16:49:53.311Z

Link: CVE-2025-11379

cve-icon Vulnrichment

Updated: 2025-12-04T14:30:26.343Z

cve-icon NVD

Status : Deferred

Published: 2025-12-04T05:16:19.720

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11379

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:15:20Z

Weaknesses