CVE-2025-11379 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) found in the WebP Express plugin for WordPress, developed by roselldk. This plugin is widely used to convert images to the WebP format to improve website performance. The vulnerability affects all versions up to and including 0.25.9. The root cause is the plugin's failure to randomize the name of its configuration file, which is stored on the server and accessible via direct HTTP requests on NGINX web servers. Because the config file name is predictable and not obfuscated, an unauthenticated attacker can directly request and retrieve this file, exposing sensitive configuration data. This exposure does not require any authentication or user interaction, making exploitation straightforward. The leaked configuration data could include sensitive parameters that may facilitate further attacks, such as information about server setup or plugin settings. The CVSS v3.1 base score is 5.3, reflecting a medium severity level due to the confidentiality impact without affecting integrity or availability. No known exploits have been reported in the wild yet, but the vulnerability is publicly disclosed and should be addressed promptly. The vulnerability is particularly relevant for websites running on NGINX, as the issue is tied to how the server handles direct file access. The lack of patch links indicates that a fix may not yet be available, emphasizing the need for interim mitigations.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive configuration information from WordPress sites using the WebP Express plugin on NGINX servers. Such exposure can aid attackers in reconnaissance, potentially leading to more targeted attacks like privilege escalation or further exploitation of other vulnerabilities. Organizations in sectors with high web presence—such as e-commerce, media, and government—may face increased risk due to the public-facing nature of their websites. The confidentiality breach could undermine trust and compliance with data protection regulations like GDPR if the exposed information includes personal data or security-related configurations. Although the vulnerability does not directly impact system integrity or availability, the information leakage can be a stepping stone for more damaging attacks. The medium severity score indicates moderate risk, but the ease of exploitation (no authentication or user interaction required) increases the urgency for mitigation. The absence of known exploits in the wild suggests a window of opportunity for organizations to remediate before active exploitation occurs.

1. Immediately restrict direct access to the plugin's configuration files by implementing strict web server rules on NGINX, such as using 'location' blocks to deny access to config file paths or extensions. 2. Employ web application firewalls (WAFs) to detect and block suspicious requests targeting configuration files. 3. Monitor web server logs for unusual access attempts to configuration files or unexpected HTTP GET requests that could indicate scanning or exploitation attempts. 4. Regularly update the WebP Express plugin to the latest version once a patch addressing this vulnerability is released by the vendor. 5. Consider temporarily disabling or replacing the plugin with alternative image optimization solutions if immediate patching is not possible. 6. Conduct security audits of WordPress installations to identify other plugins or components with similar exposure risks. 7. Educate web administrators on secure plugin configuration and the importance of restricting access to sensitive files. 8. Review and harden NGINX server configurations to prevent unauthorized file access beyond this specific vulnerability.