CVE-2025-11379 – The WebP Express WordPress plugin exposes confi... (How to Fix)

📋 TL;DR

The WebP Express WordPress plugin exposes configuration data through predictable config file names on NGINX servers. Unauthenticated attackers can access sensitive configuration information. All WordPress sites using WebP Express up to version 0.25.9 are affected.

💻 Affected Systems

Products:

WebP Express WordPress Plugin

Versions: All versions up to and including 0.25.9

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects NGINX web servers; Apache with .htaccess is protected by default

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain database credentials, API keys, or other sensitive configuration data leading to full site compromise.

🟠

Likely Case

Attackers extract configuration details that could enable further attacks or reconnaissance.

🟢

If Mitigated

Limited exposure of non-critical configuration data with no authentication bypass.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request to predictable config file path

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.26.0

Vendor Advisory: https://wordpress.org/plugins/webp-express/

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find WebP Express and click 'Update Now'
4. Verify version is 0.26.0 or higher

🔧 Temporary Workarounds

NGINX Location Block Restriction

linux

Add NGINX configuration to block access to WebP Express config files

location ~* "/wp-content/plugins/webp-express/.*\.json$" {
    deny all;
    return 403;
}

🧯 If You Can't Patch

Temporarily disable WebP Express plugin
Implement WAF rules to block requests to *.json files in webp-express directory

🔍 How to Verify

Check if Vulnerable:

Check if accessing https://yoursite.com/wp-content/plugins/webp-express/config/config.json returns configuration data

Check Version:

wp plugin list | grep webp-express

Verify Fix Applied:

Verify plugin version is 0.26.0+ and config.json access returns 403/404

📡 Detection & Monitoring

Log Indicators:

HTTP 200 responses to /wp-content/plugins/webp-express/*.json files
Multiple failed attempts to access config files

Network Indicators:

Unusual GET requests to plugin config file paths
Traffic patterns targeting /wp-content/plugins/webp-express/

SIEM Query:

source="web_server" AND (uri_path="/wp-content/plugins/webp-express/*.json" AND status=200)

📊 Metadata

CVE ID: CVE-2025-11379

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-200

EPSS Score: 0.06% exploit probability (19.1th percentile)

Published: December 4, 2025

Last Updated: December 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11379, you might also want to check these: