CVE-2025-2880 is a medium severity vulnerability affecting the Yame | Link In Bio WordPress plugin, versions up to and including 0.9.0. The vulnerability arises from the presence of a publicly accessible phpinfo.php script within the plugin's installation. This script exposes detailed PHP environment information, including server configuration, loaded modules, environment variables, and potentially sensitive data such as database connection details, API keys, or other credentials if they are present in the environment or configuration files. Because the script is accessible without authentication or user interaction, any unauthenticated attacker can retrieve this information simply by accessing the phpinfo.php endpoint on a vulnerable WordPress site. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS 3.1 base score is 5.3, reflecting a medium severity level, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and impact limited to confidentiality (C:L) without affecting integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked yet, suggesting that mitigation may require manual removal or restriction of access to the phpinfo.php script or plugin updates once available. The vulnerability does not allow direct code execution or system compromise but can aid attackers in reconnaissance and subsequent targeted attacks by revealing sensitive configuration details that could facilitate privilege escalation or lateral movement within the affected environment.

For European organizations, this vulnerability poses a risk primarily related to confidentiality breaches. Exposure of sensitive server and application configuration details can enable attackers to craft more effective attacks, such as exploiting other vulnerabilities, credential theft, or unauthorized access. Organizations handling personal data under GDPR must be particularly cautious, as leakage of environment variables or credentials could lead to data breaches with regulatory and reputational consequences. The vulnerability affects WordPress sites using the Yame | Link In Bio plugin, which is popular among social media managers, marketing teams, and small to medium enterprises for managing link aggregation. If exploited, attackers could gain insights into the hosting environment, potentially facilitating further attacks like SQL injection, cross-site scripting, or privilege escalation. Although the vulnerability itself does not directly compromise integrity or availability, the information disclosed can be leveraged in multi-stage attacks. Given the widespread use of WordPress in Europe and the increasing reliance on social media marketing tools, the vulnerability could impact a broad range of sectors including retail, media, and professional services. The lack of required authentication and user interaction increases the risk of automated scanning and exploitation attempts.

1. Immediate mitigation should involve restricting access to the phpinfo.php script by removing or renaming the file if it is not required for operational purposes. 2. Implement web server access controls (e.g., .htaccess rules for Apache or equivalent for Nginx) to limit access to the phpinfo.php endpoint to trusted IP addresses or authenticated users only. 3. Monitor web server logs for any access attempts to phpinfo.php or unusual scanning activity targeting this endpoint. 4. Update the Yame | Link In Bio plugin to a patched version once released by the vendor. Until then, consider disabling or uninstalling the plugin if the phpinfo.php script cannot be secured. 5. Conduct a thorough review of the server environment to ensure no sensitive credentials or secrets are exposed in environment variables or configuration files accessible via phpinfo.php. 6. Employ web application firewalls (WAFs) to detect and block requests to sensitive endpoints like phpinfo.php. 7. Educate site administrators about the risks of exposing diagnostic scripts publicly and enforce secure development and deployment practices to avoid inclusion of such scripts in production environments.