CVE-2025-11379 is an information exposure vulnerability classified under CWE-200, found in the WebP Express plugin for WordPress developed by roselldk. The vulnerability affects all versions up to 0.25.9 and stems from the plugin's failure to properly randomize the names of its configuration files. On NGINX web servers, this oversight allows unauthenticated attackers to directly access these config files by requesting their predictable URLs. The exposed configuration data may include sensitive information such as plugin settings, paths, or other details that could facilitate further attacks or reconnaissance. The vulnerability does not require any authentication or user interaction, making it easier to exploit remotely. The CVSS v3.1 base score is 5.3, reflecting a medium severity with a vector indicating network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, and limited confidentiality impact. No patches or known exploits are currently reported, but the risk remains significant for sites using the affected plugin versions on NGINX servers. The root cause is inadequate protection of configuration files and predictable naming conventions, which should be addressed by randomizing file names or restricting access via server rules.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive configuration information from WordPress sites using the WebP Express plugin on NGINX servers. While it does not directly compromise integrity or availability, the leaked data can aid attackers in crafting targeted attacks, such as privilege escalation, further plugin or site exploitation, or reconnaissance for lateral movement. Organizations relying on this plugin risk exposure of internal configuration details, which may include paths, settings, or other sensitive parameters. This can undermine the security posture of affected websites, potentially leading to more severe compromises if combined with other vulnerabilities. The ease of exploitation (no authentication or user interaction) increases the likelihood of automated scanning and exploitation attempts. The scope is limited to sites using the vulnerable plugin on NGINX, but given WordPress's global popularity, the number of affected sites could be substantial.

To mitigate CVE-2025-11379, organizations should implement the following specific measures: 1) Immediately restrict direct access to the plugin's configuration files by configuring NGINX rules to deny requests to known config file paths or patterns. 2) Monitor web server logs for suspicious requests targeting config files to detect potential exploitation attempts. 3) Encourage the plugin vendor to release an update that randomizes config file names or moves sensitive data outside the web root. 4) Until a patch is available, consider disabling or removing the WebP Express plugin if it is not essential. 5) Employ web application firewalls (WAFs) with custom rules to block access to sensitive plugin files. 6) Regularly audit WordPress plugins for security updates and maintain an inventory of installed plugins to quickly identify vulnerable components. 7) Educate site administrators about the risks of exposing configuration files and the importance of secure server configurations. These targeted actions go beyond generic advice by focusing on server-level access controls and proactive monitoring specific to this vulnerability.