CVE-2025-11504 is a vulnerability classified under CWE-532 (Insertion of Sensitive Information into Log File) affecting the Quickcreator – AI Blog Writer plugin for WordPress, specifically versions 0.0.9 through 0.1.17. The issue arises because the plugin writes its API key into a log file named dupasrala.txt located in the plugin directory (/wp-content/plugins/quickcreator/). This file is publicly accessible without authentication, allowing any remote attacker to retrieve the API key. With the API key, attackers can interact with the plugin’s API to perform unauthorized actions on the WordPress site, including creating new posts and injecting malicious scripts such as XSS payloads. The vulnerability is remotely exploitable over the network without any user interaction or privileges, making it particularly dangerous. The CVSS v3.1 score is 7.5 (high), reflecting the high confidentiality impact due to exposure of sensitive credentials, though integrity and availability impacts are not directly compromised. No patches are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability highlights poor handling of sensitive information by logging it in a publicly accessible location, which violates secure coding practices and exposes the site to potential compromise.

The primary impact of CVE-2025-11504 is the exposure of the plugin’s API key, which compromises the confidentiality of sensitive credentials. Attackers gaining access to this key can perform unauthorized actions such as creating new posts and injecting malicious content, including XSS payloads, which can lead to further site compromise, defacement, or distribution of malware to site visitors. Although the vulnerability does not directly affect system integrity or availability, the ability to inject malicious content can indirectly harm site integrity and user trust. For organizations relying on the Quickcreator plugin, this can result in reputational damage, potential data leakage, and increased risk of broader attacks leveraging the compromised site. Since the vulnerability requires no authentication or user interaction, it can be exploited at scale by automated scanners, increasing the risk of widespread exploitation. The lack of patches means affected sites remain vulnerable until mitigations are applied.

1. Immediately restrict access to the /wp-content/plugins/quickcreator/dupasrala.txt file by configuring web server rules (e.g., .htaccess or nginx config) to deny public access. 2. Rotate the exposed API key to invalidate any compromised credentials. 3. Monitor WordPress logs and plugin activity for unauthorized post creations or suspicious behavior indicative of exploitation. 4. Disable or uninstall the Quickcreator plugin if it is not essential until a patched version is released. 5. Implement a web application firewall (WAF) with rules to detect and block attempts to access sensitive plugin files or perform unauthorized API actions. 6. Review plugin code and deployment practices to ensure sensitive information is never logged or stored in publicly accessible locations. 7. Keep WordPress core and all plugins updated and subscribe to security advisories for timely patching. 8. Educate site administrators about the risks of exposing API keys and the importance of secure credential management.