Description
The Code Quality Control Tool plugin for WordPress is vulnerable to Sensitive Information Exposure in version 2.1 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files.
Published: 2025-10-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Patch
AI Analysis

Impact

The Code Quality Control Tool plugin for WordPress has a flaw that lets attackers read log files placed in publicly accessible locations. These log files can contain sensitive data such as configuration details, error messages, or potentially user credentials. The vulnerability is classified as CWE-200 Sensitive Data Exposure and allows an unauthenticated attacker to compromise the confidentiality of the site’s information.

Affected Systems

WordPress sites running the Code Quality Control Tool plugin version 2.1 or earlier are affected. The plugin, developed by nickclarkweb, exposes its error logs through the web root, making them available to anyone who can access the site.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity. The EPSS score of less than 1 percent shows that the likelihood of exploitation is low at present. The vulnerability is not listed in CISA’s KEV catalog. Exposing log files via a public URL means that an unauthenticated attacker can simply request the log file path and retrieve its contents. Because the logs are served through the normal HTTP interface, no special privileges or additional configuration are needed to exploit this issue.

Generated by OpenCVE AI on April 20, 2026 at 19:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Code Quality Control Tool plugin to a version newer than 2.1 that removes public access to error logs.
  • If upgrading immediately is not possible, move the log files outside the web‑root directory or use web‑server rules (e.g., .htaccess deny) to block external access to the log directory.
  • Set file system permissions on the log files so that only the web server user can read them and prevent any world‑readable access.

Generated by OpenCVE AI on April 20, 2026 at 19:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The Code Quality Control Tool plugin for WordPress is vulnerable to Sensitive Information Exposure in version 0.1 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files. The Code Quality Control Tool plugin for WordPress is vulnerable to Sensitive Information Exposure in version 2.1 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files.
Title Code Quality Control Tool <= 0.1 - Unauthenticated Information Exposure via Log Files Code Quality Control Tool <= 2.1 - Unauthenticated Information Exposure via Log Files
References

Mon, 20 Oct 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 15 Oct 2025 09:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 11 Oct 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Code Quality Control Tool plugin for WordPress is vulnerable to Sensitive Information Exposure in version 0.1 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files.
Title Code Quality Control Tool <= 0.1 - Unauthenticated Information Exposure via Log Files
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:17:24.108Z

Reserved: 2025-08-01T18:31:30.157Z

Link: CVE-2025-8484

cve-icon Vulnrichment

Updated: 2025-10-14T18:43:55.759Z

cve-icon NVD

Status : Deferred

Published: 2025-10-11T10:15:43.987

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8484

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:30:06Z

Weaknesses