CVE-2025-11504 identifies a vulnerability in the Quickcreator – AI Blog Writer plugin for WordPress, specifically in versions 0.0.9 through 0.1.17. The issue stems from the plugin writing sensitive information, namely its API key, into a publicly accessible file located at /wp-content/plugins/quickcreator/dupasrala.txt. This file can be accessed by unauthenticated attackers, enabling them to retrieve the API key without any authentication or user interaction. Possession of this key allows attackers to interact with the plugin's API, which can be leveraged to create new blog posts or inject malicious scripts such as XSS payloads into the website content. The vulnerability is categorized under CWE-532, which concerns the improper insertion of sensitive information into log files or other accessible locations. The CVSS 3.1 base score is 7.5, reflecting a high severity due to the vulnerability's network accessibility (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact is primarily on confidentiality, as the API key exposure compromises the integrity of the site by enabling unauthorized content creation and script injection. No patches have been linked yet, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved and published in October 2025 by Wordfence. Given the plugin's role in content creation, exploitation could lead to defacement, phishing, or malware distribution via injected scripts.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of their WordPress-based websites using the Quickcreator plugin. Unauthorized access to the API key can lead to malicious content creation, including spam, phishing pages, or XSS attacks that compromise site visitors. This can damage brand reputation, reduce customer trust, and potentially lead to regulatory scrutiny under GDPR if user data is indirectly affected or if the site is used as a vector for further attacks. The ability to inject scripts could also facilitate broader attacks such as session hijacking or malware distribution. Since the vulnerability requires no authentication or user interaction, it can be exploited remotely and at scale, increasing the threat level. Organizations relying on this plugin for content automation or AI-assisted blog writing should consider the risk of content integrity loss and potential SEO penalties due to malicious content insertion.

European organizations should immediately audit their WordPress installations to identify the presence of the Quickcreator – AI Blog Writer plugin and verify the version in use. Until an official patch is released, administrators should restrict access to the /wp-content/plugins/quickcreator/dupasrala.txt file by implementing web server rules (e.g., .htaccess for Apache or location blocks for Nginx) to deny public access to this file or the entire plugin directory if feasible. Removing or disabling the plugin temporarily is advisable if it is not critical to operations. Additionally, rotate any exposed API keys and review site content for unauthorized posts or injected scripts. Monitoring web server logs for unusual access patterns to the plugin files can help detect exploitation attempts. Organizations should also engage with the plugin vendor or community to track patch releases and apply updates promptly. Implementing a Web Application Firewall (WAF) with custom rules to block suspicious requests targeting the plugin's endpoints can provide interim protection. Finally, conduct regular security audits and ensure that sensitive information is never stored in publicly accessible files.