{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9950", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-03T13:46:51.533Z", "datePublished": "2025-10-11T09:28:39.601Z", "dateUpdated": "2026-04-08T17:09:51.509Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:09:51.509Z"}, "affected": [{"vendor": "bestwebsoft", "product": "Error Log Viewer by BestWebSoft", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Error Log Viewer by BestWebSoft plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.1.6 via the rrrlgvwr_get_file function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information."}], "title": "Error Log Viewer by BestWebSoft <= 1.1.6 - Authenticated (Administrator+) Arbitrary File Read", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9455eccb-9f32-4e4e-8fe4-f345bf6e8da7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/error-log-viewer/tags/1.1.6/error-log-viewer.php#L118"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3378018%40error-log-viewer&new=3378018%40error-log-viewer&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Duc Manh"}], "timeline": [{"time": "2025-06-06T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-10-10T20:39:18.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-14T18:31:59.169758Z", "id": "CVE-2025-9950", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-14T18:45:27.147Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-9950", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-03T13:46:51.533Z", "datePublished": "2025-10-11T09:28:39.601Z", "dateUpdated": "2025-10-14T18:45:27.147Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-10-11T09:28:39.601Z"}, "affected": [{"vendor": "bestwebsoft", "product": "Error Log Viewer by BestWebSoft", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "1.1.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Error Log Viewer by BestWebSoft plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.1.6 via the rrrlgvwr_get_file function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information."}], "title": "Error Log Viewer by BestWebSoft <= 1.1.6 - Authenticated (Administrator+) Arbitrary File Read", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9455eccb-9f32-4e4e-8fe4-f345bf6e8da7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/error-log-viewer/tags/1.1.6/error-log-viewer.php#L118"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Duc Manh"}], "timeline": [{"time": "2025-06-06T00:00:00.000+00:00", "lang": "en", "value": "Discovered"}, {"time": "2025-10-10T20:39:18.000+00:00", "lang": "en", "value": "Disclosed"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9950", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-14T18:31:59.169758Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-14T18:31:59.949Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Error Log Viewer by BestWebSoft plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.1.6 via the rrrlgvwr_get_file function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information."}], "id": "CVE-2025-9950", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-11T10:15:45.127", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/error-log-viewer/tags/1.1.6/error-log-viewer.php#L118"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3378018%40error-log-viewer&new=3378018%40error-log-viewer&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9455eccb-9f32-4e4e-8fe4-f345bf6e8da7?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T02:23:23.729686+00:00", "value": {"mitigation_remediation": ["Upgrade the Error Log Viewer plugin to the latest available version that removes the path\u2011traversal bug", "If an upgrade is not possible, disable or uninstall the plugin until a patch is applied", "Verify that the WordPress instance enforces strict file permissions and that the plugin cannot read files outside the intended directories"], "summary": {"action": "Apply Patch", "impact": "Arbitrary file read that can expose confidential server data"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Error Log Viewer by BestWebSoft plugin version 1.1.6 or earlier are affected. The plugin is listed under the BestWebSoft vendor family and is included in any WordPress installation that has not upgraded beyond 1.1.6.", "description_and_impact": "The bestwebsoft Error Log Viewer plugin allows a directory traversal flaw in the rrrlgvwr_get_file function. An attacker who can authenticate as an Administrator or higher can supply a path that resolves to any file on the server, reading its contents. This vulnerability, classified as CWE\u201122, can expose sensitive configuration files, credentials, or private user data, leading to confidentiality compromise.", "risk_and_exploitability": "The CVSS score of 4.9 reflects a moderate severity, and the EPSS score of less than 1% indicates a low likelihood of exploitation in the wild. The issue is not catalogued in CISA\u2019s KEV. Exploitation requires the attacker to be authenticated with Administrator\u2011level privileges; from there, they can craft a request to trigger the vulnerable function and retrieve arbitrary files."}}}}, "created": "2025-10-20T16:14:57.591691+00:00", "updated": "2026-04-21T02:30:25.832083+00:00", "vendors": ["bestwebsoft", "bestwebsoft$PRODUCT$error_log_viewer", "wordpress", "wordpress$PRODUCT$wordpress"]}