CVE-2025-13681 is a path traversal vulnerability classified under CWE-22 found in the BFG Tools – Extension Zipper plugin for WordPress, affecting all versions up to and including 1.0.7. The vulnerability stems from inadequate input validation on the 'first_file' parameter within the zip() function. This parameter is user-supplied and can be manipulated by an attacker with Administrator-level access to traverse directories outside the intended '/wp-content/plugins/' directory. By exploiting this flaw, an attacker can read arbitrary files on the server, including sensitive configuration files like wp-config.php, which may contain database credentials and other secrets. The vulnerability does not allow modification or deletion of files, nor does it enable remote code execution, but it compromises confidentiality. Exploitation requires authenticated access with high privileges, no user interaction is needed, and the attack can be performed remotely over the network. The CVSS v3.1 score is 4.9, reflecting a medium severity impact primarily on confidentiality with low complexity of attack due to insufficient access control on input parameters. No patches or fixes are currently linked, and no known exploits have been reported in the wild, but the risk remains significant for affected sites. The vulnerability highlights the importance of strict input validation and access control in WordPress plugins handling file operations.

The primary impact of CVE-2025-13681 is unauthorized disclosure of sensitive information due to arbitrary file read capabilities. Attackers with Administrator privileges can access critical files such as wp-config.php, which may expose database credentials, API keys, and other confidential data. This can lead to further compromise of the WordPress site or connected systems if credentials are reused or leaked. Although the vulnerability does not allow code execution or file modification, the exposure of sensitive data can facilitate privilege escalation, lateral movement, or targeted attacks against the organization. For organizations relying on WordPress with this plugin installed, especially those hosting sensitive or regulated data, this vulnerability poses a significant confidentiality risk. The requirement for Administrator-level access limits the attack surface to insiders or compromised accounts but does not eliminate risk, as credential theft or phishing could enable exploitation. The lack of known exploits in the wild suggests limited current threat activity, but the vulnerability remains a concern for maintaining site integrity and confidentiality.

To mitigate CVE-2025-13681, organizations should first check for updates or patches from the plugin vendor and apply them promptly once available. In the absence of an official patch, administrators should consider disabling or uninstalling the BFG Tools – Extension Zipper plugin to eliminate exposure. Restrict Administrator-level access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of account compromise. Implement file system permissions that limit the web server's ability to read sensitive files outside the plugin directory, using techniques like chroot jails or hardened server configurations. Conduct regular audits of user accounts and plugin usage to detect unauthorized access or suspicious activity. Additionally, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting the 'first_file' parameter. Monitoring logs for unusual file access patterns can help identify exploitation attempts early. Finally, educate administrators on the risks of granting excessive privileges and the importance of plugin security hygiene.