Description
The Birth Chart Compatibility plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.0. This is due to insufficient protection against directly accessing the plugin's index.php file, which causes an error exposing the full path. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
Published: 2025-07-22
Score: 5.3 Medium
EPSS: 3.6% Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

The Birth Chart Compatibility WordPress plugin is vulnerable to Full Path Disclosure in all releases up to and including version 2.0. The flaw arises from insufficient protection against direct access to the plugin's index.php file, which triggers an error that reveals the server's absolute file path. This disclosure falls under information‑disclosure weaknesses (CWE-200) and can assist attackers in locating application files, but it does not in itself cause direct damage; an attacker would need a separate vulnerability to exploit further.

Affected Systems

The affected product is the Birth Chart Compatibility plugin for WordPress, produced by mia4. Versions up to and including 2.0 are vulnerable. No later releases are known to contain the issue based on the current advisory.

Risk and Exploitability

With a CVSS score of 5.3, the risk is moderate. The EPSS score of 4% indicates a small but non‑negligible likelihood of exploitation in the wild, and the vulnerability is not currently catalogued in the CISA KEV list. Exploitation is straightforward: a remote, unauthenticated attacker can issue an HTTP request to the plugin's index.php path, causing the server to return an error page that leaks the full file system path. Because the disclosed path alone does not compromise confidentiality, integrity, or availability, the threat is primarily to support other attacks and should be mitigated promptly.

Generated by OpenCVE AI on April 21, 2026 at 19:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Birth Chart Compatibility plugin to the latest version where the vulnerability has been fixed.
  • If an upgrade is not possible, permanently delete or disable the plugin to eliminate the exposure.
  • As a temporary protective measure, block direct HTTP access to the plugin directory (e.g., using .htaccess rules or firewall rules) so that unauthenticated requests cannot trigger the index.php error.

Generated by OpenCVE AI on April 21, 2026 at 19:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-22302 The Birth Chart Compatibility plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.0. This is due to insufficient protection against directly accessing the plugin's index.php file, which causes an error exposing the full path. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
History

Wed, 23 Jul 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 22 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 22 Jul 2025 09:30:00 +0000

Type Values Removed Values Added
Description The Birth Chart Compatibility plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.0. This is due to insufficient protection against directly accessing the plugin's index.php file, which causes an error exposing the full path. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
Title Birth Chart Compatibility <= 2.0 - Unauthenticated Full Path Exposure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:49:43.535Z

Reserved: 2025-06-13T18:48:39.523Z

Link: CVE-2025-6082

cve-icon Vulnrichment

Updated: 2025-07-22T13:23:07.442Z

cve-icon NVD

Status : Deferred

Published: 2025-07-22T10:15:25.443

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-6082

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:45:16Z

Weaknesses