CVE-2025-2883 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) found in the 'Accept SagePay Payments Using Contact Form 7' plugin for WordPress, developed by zealopensource. The issue arises because the plugin includes a publicly accessible phpinfo.php script in all versions up to and including 2.0. This script exposes detailed PHP environment information such as server configuration, installed modules, environment variables, and potentially sensitive data like API keys or database credentials if they are set as environment variables. Since the script is accessible without authentication or user interaction, any remote attacker can retrieve this information simply by accessing the URL hosting the vulnerable plugin. The exposure of such information can aid attackers in crafting more effective attacks, such as privilege escalation, targeted exploits, or lateral movement within the affected environment. The vulnerability has a CVSS 3.1 base score of 5.3, indicating a medium severity level, with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, meaning it is remotely exploitable with low attack complexity, requires no privileges or user interaction, and impacts confidentiality only. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved on March 27, 2025, and published on April 8, 2025.

The primary impact of CVE-2025-2883 is the unauthorized disclosure of sensitive information that could compromise the confidentiality of the affected systems. Exposure of PHP configuration and environment variables may reveal critical details such as database connection strings, API keys, or internal network information. This information can be leveraged by attackers to perform further attacks, including privilege escalation, injection attacks, or unauthorized access to backend systems. For organizations running e-commerce websites using the affected plugin, this could lead to customer data compromise or financial fraud if attackers use the disclosed information to bypass payment security controls. Although the vulnerability does not directly affect integrity or availability, the indirect consequences of information leakage can be severe, especially in environments with weak security controls. The ease of exploitation and lack of authentication requirements increase the risk, particularly for publicly accessible websites. Organizations worldwide that rely on WordPress and this specific plugin for SagePay payment integration are at risk, potentially affecting small to medium-sized businesses and online retailers.

To mitigate CVE-2025-2883, organizations should immediately verify if they are using the 'Accept SagePay Payments Using Contact Form 7' plugin, especially versions up to 2.0. Since no official patch is currently available, administrators should take the following specific actions: 1) Remove or restrict access to the phpinfo.php script by deleting the file or configuring web server rules (e.g., .htaccess or nginx config) to deny all external requests to this file. 2) Implement strict access controls on the plugin directory to prevent unauthorized access to sensitive files. 3) Monitor web server logs for any access attempts to phpinfo.php or unusual requests targeting the plugin. 4) Review and rotate any credentials or API keys that might have been exposed via the phpinfo.php output. 5) Consider disabling or replacing the plugin with a more secure alternative if immediate patching is not feasible. 6) Keep WordPress core and all plugins updated and subscribe to vulnerability advisories for timely patch application. 7) Employ web application firewalls (WAF) to detect and block suspicious requests targeting known vulnerable endpoints. These targeted mitigations go beyond generic advice by focusing on the specific exposed file and environment.