CVE Details
Basic Information
| Title | BitFire <= 4.5 - Unauthenticated Information Exposure |
|---|---|
| Type | cve |
| Published | 2025-08-02T09:23:31.313Z |
| Modified | 2025-08-02T09:23:31.313Z |
Product Information
| Vendor | bitslip6 |
|---|---|
| Product | BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security |
| Version | * |
CVSS Information
| Base Score | 5.3 (MEDIUM) |
|---|---|
| Attack Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Affected Products
- bitslip6 BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security *
Additional Information
| CWE List | CWE-200 |
|---|---|
| Source | Wordfence |
Description
The BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.5 via the bitfire_* directory that automatically gets created and stores potentially sensitive files without any access restrictions. This makes it possible for unauthenticated attackers to extract sensitive data from various files like config.ini, debug.log, and more.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/72320980-733d-4fe6-9a13-39c476b77298?source=cve
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3335461%40bitfire&new=3335461%40bitfire&sfp_email=&sfph_mail=
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3334399%40bitfire&new=3334399%40bitfire&sfp_email=&sfph_mail=