{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13681", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-25T18:54:26.188Z", "datePublished": "2026-02-14T03:25:26.938Z", "dateUpdated": "2026-04-08T16:55:27.141Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:55:27.141Z"}, "affected": [{"vendor": "thebaldfatguy", "product": "BFG Tools \u2013 Extension Zipper", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The BFG Tools \u2013 Extension Zipper plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0.7. This is due to insufficient input validation on the user-supplied `first_file` parameter in the `zip()` function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files and directories outside the intended `/wp-content/plugins/` directory, which can contain sensitive information such as wp-config.php."}], "title": "BFG Tools \u2013 Extension Zipper <= 1.0.7 - Authenticated (Administrator+) Path Traversal via 'first_file' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5bd95df9-4355-4d57-ba44-59280463e284?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/bfg-tools-extension-zipper/trunk/bfg-tools-extension-zipper.php#L290"}, {"url": "https://plugins.trac.wordpress.org/browser/bfg-tools-extension-zipper/tags/1.0.7/bfg-tools-extension-zipper.php#L290"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3412948%40bfg-tools-extension-zipper&new=3412948%40bfg-tools-extension-zipper"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "timeline": [{"time": "2026-02-13T14:25:30.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T15:06:42.889504Z", "id": "CVE-2025-13681", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:06:55.368Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13681", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-17T15:06:42.889504Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:06:51.046Z"}}], "cna": {"title": "BFG Tools \u2013 Extension Zipper <= 1.0.7 - Authenticated (Administrator+) Path Traversal via 'first_file' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "thebaldfatguy", "product": "BFG Tools \u2013 Extension Zipper", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-13T14:25:30.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5bd95df9-4355-4d57-ba44-59280463e284?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/bfg-tools-extension-zipper/trunk/bfg-tools-extension-zipper.php#L290"}, {"url": "https://plugins.trac.wordpress.org/browser/bfg-tools-extension-zipper/tags/1.0.7/bfg-tools-extension-zipper.php#L290"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3412948%40bfg-tools-extension-zipper&new=3412948%40bfg-tools-extension-zipper"}], "descriptions": [{"lang": "en", "value": "The BFG Tools \u2013 Extension Zipper plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0.7. This is due to insufficient input validation on the user-supplied `first_file` parameter in the `zip()` function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files and directories outside the intended `/wp-content/plugins/` directory, which can contain sensitive information such as wp-config.php."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:55:27.141Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13681", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:55:27.141Z", "dateReserved": "2025-11-25T18:54:26.188Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-14T03:25:26.938Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The BFG Tools \u2013 Extension Zipper plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0.7. This is due to insufficient input validation on the user-supplied `first_file` parameter in the `zip()` function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files and directories outside the intended `/wp-content/plugins/` directory, which can contain sensitive information such as wp-config.php."}, {"lang": "es", "value": "El plugin BFG Tools \u2013 Extension Zipper para WordPress es vulnerable a salto de ruta en todas las versiones hasta la 1.0.7 inclusive. Esto se debe a una validaci\u00f3n de entrada insuficiente en el par\u00e1metro 'first_file' proporcionado por el usuario en la funci\u00f3n 'zip()'. Esto permite a atacantes autenticados, con acceso de nivel de Administrador y superior, leer el contenido de archivos y directorios arbitrarios fuera del directorio previsto '/wp-content/plugins/', que puede contener informaci\u00f3n sensible como wp-config.php."}], "id": "CVE-2025-13681", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-14T04:15:56.123", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bfg-tools-extension-zipper/tags/1.0.7/bfg-tools-extension-zipper.php#L290"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/bfg-tools-extension-zipper/trunk/bfg-tools-extension-zipper.php#L290"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3412948%40bfg-tools-extension-zipper&new=3412948%40bfg-tools-extension-zipper"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5bd95df9-4355-4d57-ba44-59280463e284?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "product": "bfg_tools_\u2013_extension_zipper", "vendor": "thebaldfatguy"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-21T16:02:15.920447+00:00", "value": {"mitigation_remediation": ["Update the BFG Tools \u2013 Extension Zipper plugin to a version that addresses the path traversal flaw (or remove the plugin entirely if a newer version is unavailable).", "Restrict Administrator privileges to only trusted users and consider revoking unnecessary high\u2011privilege accounts from the system.", "Implement strict file\u2011system permissions on sensitive files such as wp-config.php to limit read access, even to authenticated administrators."], "summary": {"action": "Patch", "impact": "Confidentiality breach via path traversal"}, "threat_synthesis": {"affected_systems": "Any WordPress site that has the BFG Tools \u2013 Extension Zipper plugin installed at version 1.0.7 or earlier is impacted. The vulnerability applies to all versions up to and including 1.0.7.", "description_and_impact": "The BFG Tools \u2013 Extension Zipper plugin for WordPress contains an insufficient input validation issue in the \u2018first_file\u2019 parameter of the zip() function, creating a path traversal flaw. This flaw allows an authenticated attacker with Administrator privileges or higher to read the contents of arbitrary files and directories outside the intended /wp-content/plugins/ directory, potentially exposing sensitive data such as wp-config.php. The weakness is a classic example of CWE-22 (Path Traversal).", "risk_and_exploitability": "The CVSS score of 4.9 indicates a moderate impact, while the EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Exfiltration of sensitive files is possible only for users who possess Administrator level or higher access, and requires the attacker to trigger the zip() function with a crafted first_file parameter. The exploitation path therefore demands a logged\u2011in privileged user and the ability to submit a request to the plugin, so the attack surface is limited to sites with exposed administrative interfaces."}}}}, "created": "2026-02-16T12:03:23.022024+00:00", "updated": "2026-04-21T16:15:40.492553+00:00", "vendors": ["thebaldfatguy", "thebaldfatguy$PRODUCT$bfg_tools_\u2013_extension_zipper", "wordpress", "wordpress$PRODUCT$wordpress"]}