CVE-2025-6722 is a medium-severity vulnerability affecting the BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security WordPress plugin developed by bitslip6. This vulnerability arises from the automatic creation of a bitfire_* directory within the WordPress plugin's installation path, which stores potentially sensitive files such as config.ini and debug.log. These files may contain configuration details, debugging information, or other sensitive data. The core issue is that this directory lacks proper access restrictions, allowing unauthenticated attackers to access and extract sensitive information if two conditions are met: directory listing is enabled on the web server, and the ~/wp-content/plugins/index.php file is missing or ignored, which would otherwise prevent directory browsing. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS v3.1 base score is 5.3, indicating a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impact limited to confidentiality (C:L) without affecting integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability affects all versions up to and including 4.5 of the plugin. This exposure can lead to leakage of sensitive configuration and debug data, which could facilitate further attacks such as privilege escalation, credential theft, or targeted exploitation of the WordPress site or its environment.

For European organizations using WordPress sites with the BitFire Security plugin, this vulnerability poses a risk of sensitive information leakage. Exposure of configuration files and debug logs can reveal internal system details, credentials, or security mechanisms, potentially enabling attackers to craft more effective attacks such as unauthorized access, privilege escalation, or lateral movement within the network. Organizations in sectors with strict data protection requirements, such as finance, healthcare, and government, may face compliance risks if sensitive data is exposed. Additionally, the reputational damage from a breach involving sensitive data exposure can be significant. Since the vulnerability requires directory listing to be enabled and the absence of an index.php file, organizations with misconfigured web servers are at higher risk. The lack of authentication requirement and user interaction means exploitation can be automated and performed remotely, increasing the threat surface. However, the impact is limited to confidentiality, with no direct integrity or availability consequences reported. Overall, the vulnerability can serve as a stepping stone for more severe attacks if exploited.

European organizations should take the following specific actions to mitigate this vulnerability: 1) Immediately verify if the BitFire Security plugin is installed and identify the version; upgrade to a patched version once available. 2) In the interim, restrict access to the bitfire_* directory by implementing proper web server configuration rules (e.g., using .htaccess files on Apache or location blocks in Nginx) to deny all external HTTP requests to this directory. 3) Disable directory listing on the web server globally or at least for the WordPress plugins directory to prevent attackers from enumerating files. 4) Ensure that an index.php file exists in the ~/wp-content/plugins/ directory to prevent directory browsing. 5) Review and remove any sensitive files stored in the bitfire_* directory that are not necessary for operation. 6) Conduct a security audit of WordPress installations to detect similar misconfigurations or exposures. 7) Monitor web server logs for suspicious access attempts to the bitfire_* directory or related files. 8) Educate web administrators on secure WordPress plugin management and server hardening best practices. These targeted mitigations go beyond generic advice by focusing on the specific conditions enabling this vulnerability.