CVE-2025-6082 is a medium-severity vulnerability affecting the Birth Chart Compatibility plugin for WordPress developed by mia4. This vulnerability is classified as CWE-200, which involves the exposure of sensitive information to unauthorized actors. Specifically, the issue arises from insufficient access controls on the plugin's index.php file. When an unauthenticated attacker directly accesses this file, it triggers an error message that discloses the full filesystem path of the web application. This full path disclosure can provide attackers with valuable information about the server environment and directory structure, which may facilitate further targeted attacks such as local file inclusion, remote code execution, or privilege escalation if combined with other vulnerabilities. The vulnerability affects all versions up to and including version 2.0 of the plugin. The CVSS v3.1 base score is 5.3, indicating a medium level of severity. The attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts confidentiality only (C:L), without affecting integrity or availability. Although the disclosed information alone is not sufficient to compromise the system, it lowers the barrier for attackers to exploit other existing vulnerabilities. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was publicly disclosed on July 22, 2025, with the initial reservation date on June 13, 2025. The plugin is used within WordPress environments, which are widely deployed across various sectors globally.

For European organizations, the exposure of the full filesystem path through this vulnerability can increase the risk profile of WordPress sites using the Birth Chart Compatibility plugin. While the direct impact is limited to information disclosure, this can aid attackers in crafting more effective attacks, especially in environments where other vulnerabilities exist. This is particularly concerning for organizations handling sensitive personal data or operating in regulated sectors such as finance, healthcare, or government, where even minor information leaks can lead to compliance issues under GDPR or other data protection laws. Additionally, the widespread use of WordPress in Europe for corporate websites, e-commerce platforms, and public sector portals means that a significant number of organizations could be indirectly affected if they use this plugin. The vulnerability could be leveraged as a reconnaissance step in multi-stage attacks, potentially leading to data breaches or service disruptions if combined with other exploits. The absence of required authentication and user interaction makes it easier for remote attackers to probe for this weakness without alerting users or administrators.

European organizations should immediately audit their WordPress installations to identify the presence of the Birth Chart Compatibility plugin, especially versions up to 2.0. Until an official patch is released, administrators should consider the following specific mitigations: 1) Restrict direct access to the plugin directory and index.php file via web server configuration (e.g., using .htaccess rules in Apache or location blocks in Nginx) to prevent unauthorized HTTP requests that trigger the error. 2) Implement web application firewall (WAF) rules to detect and block requests targeting the vulnerable plugin paths. 3) Monitor web server logs for suspicious access attempts to the plugin’s files to detect potential reconnaissance activity. 4) Conduct a comprehensive vulnerability assessment to identify and remediate any other vulnerabilities that could be chained with this information disclosure. 5) Follow best practices for error handling in WordPress plugins by suppressing detailed error messages in production environments to avoid leaking sensitive information. 6) Engage with the plugin vendor or community to track the release of official patches and apply them promptly once available. 7) Consider temporarily disabling or removing the plugin if it is not essential to reduce the attack surface.