CVE-2025-34084 is a critical unauthenticated information disclosure vulnerability in the BoldGrid Total Upkeep WordPress plugin (also known as BoldGrid Backup) affecting all versions prior to 1.14.10. The vulnerability arises because the plugin exposes multiple endpoints without requiring authentication, allowing attackers to retrieve sensitive server configuration details and backup metadata. Specifically, the env-info.php endpoint leaks detailed server environment information, while the restore-info.json endpoint reveals the absolute filesystem path of the latest backup. Since backups may include full SQL database dumps, an attacker who obtains the backup path can construct a web-accessible URL under the wp-content/uploads/ directory to download the backup archive. Extracting this archive can expose credential hashes from the wp_users table, enabling offline password cracking or credential stuffing attacks. The vulnerability has a CVSS 4.0 base score of 9.2 (critical), reflecting its high impact and ease of exploitation: no authentication or user interaction is required, and the attack surface is broad due to the public accessibility of the endpoints. The exposure of sensitive information (CWE-200) combined with missing authentication controls (CWE-306) significantly compromises confidentiality and potentially the integrity of WordPress sites using this plugin. Although no known exploits are reported in the wild yet, the vulnerability's nature makes it a prime target for attackers seeking to escalate access or move laterally within compromised environments.

For European organizations using WordPress sites with the BoldGrid Total Upkeep plugin, this vulnerability poses a severe risk. Unauthorized disclosure of server configuration and backup data can lead to credential compromise, enabling attackers to gain administrative access to websites and potentially pivot to internal networks. This can result in data breaches involving personal data protected under GDPR, leading to regulatory penalties and reputational damage. The availability of full database dumps may also expose sensitive customer or business data, increasing the risk of identity theft, fraud, and intellectual property loss. Given the widespread use of WordPress in Europe across sectors such as e-commerce, government, education, and media, the vulnerability could disrupt critical online services and erode trust. Additionally, the ease of exploitation without authentication means that automated scanning and mass exploitation campaigns could rapidly affect multiple European organizations if patches are not applied promptly.

European organizations should immediately verify if their WordPress installations use the BoldGrid Total Upkeep plugin and identify the plugin version. If vulnerable versions are detected, they must upgrade to version 1.14.10 or later where the issue is patched. Until patching is possible, organizations should restrict access to the affected endpoints (env-info.php and restore-info.json) via web server configuration or firewall rules, limiting access to trusted IPs or requiring authentication. Regularly auditing backup storage locations to ensure backups are not publicly accessible is critical. Implementing web application firewalls (WAFs) with rules to detect and block requests targeting these endpoints can provide additional protection. Organizations should also monitor logs for unusual access patterns to these endpoints and conduct credential audits to detect potential compromise. Finally, enforcing strong password policies and multi-factor authentication on WordPress admin accounts will reduce the impact of leaked credential hashes.