CVE-2025-11379 is an information exposure vulnerability classified under CWE-200, affecting the WebP Express plugin for WordPress developed by roselldk. The vulnerability arises because the plugin fails to sufficiently randomize or obscure the names of its configuration files, which are accessible directly on web servers running NGINX. This misconfiguration allows unauthenticated remote attackers to retrieve sensitive configuration data by directly requesting these predictable config files. The exposure of such configuration data can reveal internal plugin settings, paths, or other sensitive information that could be leveraged to facilitate further attacks, such as privilege escalation or targeted exploitation of other vulnerabilities. The vulnerability affects all versions up to and including 0.25.9. The CVSS 3.1 base score is 5.3 (medium severity), with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impact limited to confidentiality (C:L) without affecting integrity or availability. No patches or exploits are currently publicly available, but the issue is recognized and published. The vulnerability is particularly relevant for WordPress sites hosted on NGINX servers where default or predictable config file names are not protected by additional access controls.

For European organizations, this vulnerability poses a moderate risk primarily through the unauthorized disclosure of sensitive configuration information. Such exposure can aid attackers in mapping the target environment, identifying potential weaknesses, or crafting more effective attacks against the affected WordPress sites. While the vulnerability does not directly compromise data integrity or availability, the leaked information could be used in multi-stage attacks, increasing the overall risk profile. Organizations relying on WordPress with the WebP Express plugin, especially those hosting public-facing websites on NGINX servers without strict access controls, are vulnerable. This could impact sectors with high web presence such as e-commerce, media, and government services. The exposure of configuration details might also contravene GDPR requirements if it leads to further data breaches. Although no active exploitation is known, the ease of exploitation without authentication means attackers could quickly leverage this vulnerability once discovered.

1. Monitor for and apply updates to the WebP Express plugin as soon as a patch addressing CVE-2025-11379 is released by roselldk. 2. In the interim, implement server-level access controls on NGINX to restrict direct access to configuration files, for example by adding location blocks that deny access to config file paths or extensions used by the plugin. 3. Rename or randomize configuration file names manually if feasible, to reduce predictability until an official fix is available. 4. Conduct regular security audits of WordPress plugins and server configurations to identify and remediate similar exposure risks. 5. Employ web application firewalls (WAFs) with rules to block suspicious requests targeting plugin config files. 6. Educate site administrators on the risks of exposing plugin configuration files and encourage minimal plugin usage with strict update policies. 7. Review and harden NGINX server configurations to ensure sensitive files are not publicly accessible by default.