The WebP Express plugin for WordPress is vulnerable to information exposure via config files in all versions up to, and including, 0.25.9. This is due to the plugin not properly randomizing the name of the config file to prevent direct access on NGINX. This makes it possible for unauthenticated attackers to extract configuration data.
CVE-2025-11379: The WebP Express plugin for WordPress is vulnerable to information exposure via config files in all versions up to, and…
WebP Express plugin for WordPress versions up to 0.25.9 exposes configuration data due to improper config file randomization, allowing unauthenticated attackers to extract sensitive information (CVE-2025-11379).