CVE-2025-9950 is a directory traversal vulnerability classified under CWE-22, found in the Error Log Viewer plugin by BestWebSoft for WordPress. The flaw exists in the rrrlgvwr_get_file function, which improperly limits the pathname to restricted directories, allowing an authenticated attacker with Administrator privileges or higher to read arbitrary files on the server. This vulnerability affects all versions up to and including 1.1.6 of the plugin. The attacker can leverage this to access sensitive files such as configuration files, database backups, or other critical data stored on the server, potentially exposing credentials, API keys, or other confidential information. The CVSS v3.1 score is 4.9 (medium severity), reflecting the network attack vector, low attack complexity, requirement for high privileges, no user interaction, and high confidentiality impact but no impact on integrity or availability. No public exploits or patches are currently available, increasing the importance of proactive mitigation. The vulnerability does not allow remote unauthenticated exploitation, limiting the attack surface to users with administrative access. However, compromised or malicious administrators could exploit this to escalate the impact of their access. This vulnerability highlights the importance of secure coding practices in plugin development, especially for functions handling file paths and server resources.

For European organizations, the primary impact is the potential exposure of sensitive server files containing confidential business data, credentials, or personal information protected under GDPR. Unauthorized disclosure of such data can lead to regulatory penalties, reputational damage, and increased risk of further attacks leveraging exposed information. Since exploitation requires administrative access, the threat is heightened in environments where admin credentials are shared, weakly protected, or where insider threats exist. The vulnerability does not directly affect system integrity or availability but compromises confidentiality, which is critical for compliance-driven sectors such as finance, healthcare, and government. Organizations running WordPress sites with this plugin are at risk of data leakage if attackers gain admin access through phishing, credential reuse, or other means. The lack of known exploits reduces immediate risk but also means attackers could develop undetected exploits. European entities with large WordPress deployments or those using this plugin for error log management should consider this vulnerability a significant risk vector for data breaches.

1. Immediately audit all WordPress sites for the presence of the Error Log Viewer plugin by BestWebSoft and identify versions up to 1.1.6. 2. Restrict administrative access strictly to trusted personnel and enforce strong authentication mechanisms such as MFA to reduce the risk of credential compromise. 3. Monitor administrative account activity for unusual file access patterns or attempts to access plugin functions related to error log viewing. 4. Disable or uninstall the plugin if it is not essential to reduce the attack surface. 5. If the plugin is necessary, isolate the WordPress environment and apply strict file system permissions to limit file readability beyond what the plugin requires. 6. Regularly check for updates or patches from BestWebSoft and apply them promptly once available. 7. Conduct internal penetration testing focusing on privilege escalation and file access vulnerabilities to detect similar issues. 8. Educate administrators on the risks of privilege misuse and the importance of secure credential handling. 9. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious directory traversal attempts within authenticated sessions. 10. Maintain comprehensive logging and alerting on file access events related to the plugin to enable rapid incident response.