CVE-2025-8484

MEDIUM
2025-10-11 [email protected]
Information Disclosure WordPress
5.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 08, 2026 - 19:39 vuln.today
CVE Published
Oct 11, 2025 - 10:15 nvd
MEDIUM 5.3

DescriptionNVD

The Code Quality Control Tool plugin for WordPress is vulnerable to Sensitive Information Exposure in version 2.1 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files.

AnalysisAI

Unauthenticated attackers can access sensitive information through publicly exposed log files in the Code Quality Control Tool WordPress plugin versions 2.1 and earlier, due to inadequate access controls on the error_logger.php component. The vulnerability allows remote attackers to read potentially sensitive data without authentication or user interaction, presenting a confidentiality risk to WordPress installations using affected versions.

Technical ContextAI

The Code Quality Control Tool plugin for WordPress implements error logging functionality via the error_logger.php file that fails to enforce proper access controls (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor). The vulnerability stems from insufficient protection on publicly accessible log files that may contain sensitive debugging information, configuration details, or other data intended only for administrators. WordPress plugins must implement proper authentication checks via WordPress's capability system (is_admin(), current_user_can()) before exposing any sensitive files or data endpoints. The affected plugin versions 2.1 and earlier lack these protective measures on the error logging mechanism, allowing unauthenticated remote access over the network without any complexity barriers.

Affected ProductsAI

The Code Quality Control Tool WordPress plugin is affected in versions 2.1 and earlier. The vulnerable component is error_logger.php, which is publicly accessible without authentication checks. All WordPress installations running this plugin at version 2.1 or prior are at risk, regardless of WordPress version, as the vulnerability exists in the plugin code itself rather than the WordPress core platform.

RemediationAI

Update the Code Quality Control Tool plugin to the patched version released after version 2.1. Per the referenced WordPress plugin changeset 3385766, the vendor has released a fix that implements proper access controls on the error_logger.php file. WordPress administrators should immediately update the plugin from the WordPress Plugin Directory to the latest available version. As a temporary workaround if an immediate update is not possible, restrict direct access to the plugin's log files via web server configuration (.htaccess for Apache or equivalent for other servers) by denying public access to the plugin directory, particularly the error_logger.php file and any log subdirectories. Monitor the plugin's GitHub repository and Wordfence threat intelligence feed (https://www.wordfence.com/threat-intel/vulnerabilities/id/b64635f4-abc0-4e69-89e4-357840c5e776) for patch release notifications.

Share

CVE-2025-8484 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy