Description
The BFG Tools – Extension Zipper plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0.7. This is due to insufficient input validation on the user-supplied `first_file` parameter in the `zip()` function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files and directories outside the intended `/wp-content/plugins/` directory, which can contain sensitive information such as wp-config.php.
Published: 2026-02-14
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality breach via path traversal
Action: Patch
AI Analysis

Impact

The BFG Tools – Extension Zipper plugin for WordPress contains an insufficient input validation issue in the ‘first_file’ parameter of the zip() function, creating a path traversal flaw. This flaw allows an authenticated attacker with Administrator privileges or higher to read the contents of arbitrary files and directories outside the intended /wp-content/plugins/ directory, potentially exposing sensitive data such as wp-config.php. The weakness is a classic example of CWE-22 (Path Traversal).

Affected Systems

Any WordPress site that has the BFG Tools – Extension Zipper plugin installed at version 1.0.7 or earlier is impacted. The vulnerability applies to all versions up to and including 1.0.7.

Risk and Exploitability

The CVSS score of 4.9 indicates a moderate impact, while the EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Exfiltration of sensitive files is possible only for users who possess Administrator level or higher access, and requires the attacker to trigger the zip() function with a crafted first_file parameter. The exploitation path therefore demands a logged‑in privileged user and the ability to submit a request to the plugin, so the attack surface is limited to sites with exposed administrative interfaces.

Generated by OpenCVE AI on April 21, 2026 at 16:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the BFG Tools – Extension Zipper plugin to a version that addresses the path traversal flaw (or remove the plugin entirely if a newer version is unavailable).
  • Restrict Administrator privileges to only trusted users and consider revoking unnecessary high‑privilege accounts from the system.
  • Implement strict file‑system permissions on sensitive files such as wp-config.php to limit read access, even to authenticated administrators.

Generated by OpenCVE AI on April 21, 2026 at 16:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Thebaldfatguy
Thebaldfatguy bfg Tools – Extension Zipper
Wordpress
Wordpress wordpress
Vendors & Products Thebaldfatguy
Thebaldfatguy bfg Tools – Extension Zipper
Wordpress
Wordpress wordpress

Sat, 14 Feb 2026 04:00:00 +0000

Type Values Removed Values Added
Description The BFG Tools – Extension Zipper plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0.7. This is due to insufficient input validation on the user-supplied `first_file` parameter in the `zip()` function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files and directories outside the intended `/wp-content/plugins/` directory, which can contain sensitive information such as wp-config.php.
Title BFG Tools – Extension Zipper <= 1.0.7 - Authenticated (Administrator+) Path Traversal via 'first_file' Parameter
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Thebaldfatguy Bfg Tools – Extension Zipper
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:55:27.141Z

Reserved: 2025-11-25T18:54:26.188Z

Link: CVE-2025-13681

cve-icon Vulnrichment

Updated: 2026-02-17T15:06:51.046Z

cve-icon NVD

Status : Deferred

Published: 2026-02-14T04:15:56.123

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13681

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T16:15:40Z

Weaknesses