CVE-2025-9950 is a directory traversal vulnerability classified under CWE-22 found in the Error Log Viewer plugin by BestWebSoft for WordPress, affecting all versions up to and including 1.1.6. The vulnerability arises from improper limitation of pathname inputs in the rrrlgvwr_get_file function, which fails to adequately sanitize or restrict file path parameters. This flaw allows an authenticated attacker with Administrator-level privileges or higher to manipulate the file path parameter to access arbitrary files on the web server's filesystem. Since the plugin is designed to view error logs, the attacker can leverage this functionality to read sensitive files beyond intended log files, potentially exposing configuration files, credentials, or other sensitive data. The vulnerability requires no user interaction but does require elevated privileges, which limits exploitation to users with administrative access. The CVSS 3.1 base score is 4.9 (medium severity), reflecting the network attack vector, low attack complexity, high privileges required, no user interaction, and a confidentiality impact but no integrity or availability impact. No public exploits or patches are currently known, indicating the vulnerability is newly disclosed. The plugin is widely used in WordPress environments, which are common in European organizations for web presence and content management, making this a relevant threat vector. The lack of a patch means organizations must rely on compensating controls until an update is released.

The primary impact of CVE-2025-9950 is unauthorized disclosure of sensitive information due to the ability to read arbitrary files on the server. For European organizations, this can lead to exposure of confidential data such as configuration files, database credentials, private keys, or personal data protected under GDPR. Such data leakage could facilitate further attacks, including privilege escalation or lateral movement within the network. Since exploitation requires administrator-level access, the threat is mainly from insider threats or compromised admin accounts. The vulnerability does not affect system integrity or availability directly but compromises confidentiality, which can have severe regulatory and reputational consequences in Europe. Organizations relying on WordPress with the affected plugin are at risk, especially those with lax administrator access controls or insufficient monitoring. The absence of known exploits reduces immediate risk but also means attackers could develop exploits undetected. The impact is heightened in sectors with strict data protection requirements such as finance, healthcare, and government.

1. Immediately review and restrict administrator-level access to WordPress environments using the Error Log Viewer plugin, ensuring only trusted personnel have such privileges. 2. Monitor WordPress logs and server access logs for unusual file access patterns or attempts to access unexpected files via the plugin interface. 3. Disable or uninstall the Error Log Viewer plugin if it is not essential to reduce the attack surface. 4. Implement strict file system permissions on the web server to limit the files readable by the web server user, minimizing exposure even if traversal occurs. 5. Use Web Application Firewalls (WAFs) with custom rules to detect and block suspicious path traversal attempts targeting the plugin’s endpoints. 6. Stay alert for official patches or updates from BestWebSoft and apply them promptly once available. 7. Conduct regular security audits and vulnerability scans on WordPress installations to detect outdated or vulnerable plugins. 8. Educate administrators on the risks of privilege misuse and enforce strong authentication and session management controls to prevent account compromise.