Description
The Error Log Viewer by BestWebSoft plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.1.6 via the rrrlgvwr_get_file function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Published: 2025-10-11
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file read that can expose confidential server data
Action: Apply Patch
AI Analysis

Impact

The bestwebsoft Error Log Viewer plugin allows a directory traversal flaw in the rrrlgvwr_get_file function. An attacker who can authenticate as an Administrator or higher can supply a path that resolves to any file on the server, reading its contents. This vulnerability, classified as CWE‑22, can expose sensitive configuration files, credentials, or private user data, leading to confidentiality compromise.

Affected Systems

WordPress sites running the Error Log Viewer by BestWebSoft plugin version 1.1.6 or earlier are affected. The plugin is listed under the BestWebSoft vendor family and is included in any WordPress installation that has not upgraded beyond 1.1.6.

Risk and Exploitability

The CVSS score of 4.9 reflects a moderate severity, and the EPSS score of less than 1% indicates a low likelihood of exploitation in the wild. The issue is not catalogued in CISA’s KEV. Exploitation requires the attacker to be authenticated with Administrator‑level privileges; from there, they can craft a request to trigger the vulnerable function and retrieve arbitrary files.

Generated by OpenCVE AI on April 21, 2026 at 02:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Error Log Viewer plugin to the latest available version that removes the path‑traversal bug
  • If an upgrade is not possible, disable or uninstall the plugin until a patch is applied
  • Verify that the WordPress instance enforces strict file permissions and that the plugin cannot read files outside the intended directories

Generated by OpenCVE AI on April 21, 2026 at 02:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Mon, 20 Oct 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Bestwebsoft
Bestwebsoft error Log Viewer
Wordpress
Wordpress wordpress
Vendors & Products Bestwebsoft
Bestwebsoft error Log Viewer
Wordpress
Wordpress wordpress

Tue, 14 Oct 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 11 Oct 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Error Log Viewer by BestWebSoft plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.1.6 via the rrrlgvwr_get_file function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Title Error Log Viewer by BestWebSoft <= 1.1.6 - Authenticated (Administrator+) Arbitrary File Read
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Bestwebsoft Error Log Viewer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:09:51.509Z

Reserved: 2025-09-03T13:46:51.533Z

Link: CVE-2025-9950

cve-icon Vulnrichment

Updated: 2025-10-14T18:31:59.949Z

cve-icon NVD

Status : Deferred

Published: 2025-10-11T10:15:45.127

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9950

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T02:30:25Z

Weaknesses