Sensitive Information Exposure in BitFire Security Plugin for WordPress
CVE-2025-6722

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Bitfire Security – Firewall, Waf, Bot/spam Blocker, Login Security
Vendor: CVE Published:; 2 August 2025

What is CVE-2025-6722?

The BitFire Security plugin for WordPress exposes sensitive information due to the creation of a 'bitfire_*' directory, which stores potentially sensitive files without adequate access controls. This vulnerability allows unauthenticated attackers to access files such as config.ini and debug.log, leading to potential data breaches. It is essential for WordPress site owners using this plugin to implement necessary security measures and consider upgrading to the latest version to mitigate risks associated with this exposure.

Affected Version(s)

BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security * <= 4.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 2, 2025
Vulnerability Reserved
Jun 26, 2025

Credit

Aurélien BOURDOIS