CVE-2025-2880 identifies a vulnerability in the Yame | Link In Bio plugin for WordPress, affecting all versions up to and including 0.9.0. The issue arises from the presence of a publicly accessible phpinfo.php script within the plugin's codebase. This script outputs detailed PHP environment information, including server configuration, installed modules, environment variables, and potentially sensitive data such as paths, software versions, and loaded extensions. Because the script is accessible without authentication or user interaction, any unauthenticated attacker can retrieve this information simply by accessing the URL hosting the phpinfo.php file. The exposure of such information can facilitate reconnaissance activities, enabling attackers to identify software versions, server configurations, and other details that can be leveraged to craft targeted attacks or exploit other vulnerabilities. The vulnerability is categorized under CWE-200, indicating exposure of sensitive information to unauthorized actors. The CVSS 3.1 base score of 5.3 reflects a medium severity, with an attack vector of network (remote), low attack complexity, no privileges required, and no user interaction needed. No known exploits have been reported in the wild, but the risk remains significant due to the nature of the information exposed. The vulnerability affects all versions of the plugin up to 0.9.0, and no official patches or updates have been linked yet. The plugin is used in WordPress environments, which are widely deployed globally, making the potential attack surface broad.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive server and environment information. While this does not directly allow code execution or data modification, the information gained can significantly aid attackers in planning further attacks, such as identifying vulnerable software versions, misconfigurations, or exploitable modules. This reconnaissance can lead to privilege escalation, data breaches, or denial of service if combined with other vulnerabilities. Organizations using the affected plugin expose themselves to increased risk of targeted attacks, especially if the disclosed information reveals critical infrastructure details. The vulnerability affects availability minimally but impacts confidentiality by leaking sensitive configuration data. The ease of exploitation (no authentication or user interaction) increases the likelihood of scanning and information harvesting by attackers. Overall, the vulnerability lowers the security posture of affected WordPress sites and can be a stepping stone for more severe compromises.

To mitigate this vulnerability, organizations should immediately verify if the phpinfo.php script is present and publicly accessible on their WordPress sites using the Yame | Link In Bio plugin. If found, the script should be removed or access restricted via web server configuration (e.g., .htaccess rules, IP whitelisting, or authentication). Administrators should monitor for official patches or updates from the plugin vendor and apply them promptly once available. Additionally, implementing web application firewalls (WAFs) to detect and block access to sensitive files can reduce exposure. Regular security audits and scans should be conducted to identify similar information disclosure issues. Limiting the amount of sensitive information exposed by PHP configurations (e.g., disabling phpinfo() in production environments) is also recommended. Finally, educating development and operations teams about the risks of leaving diagnostic scripts accessible in production environments can prevent similar issues.