CVE-2025-11504
📋 TL;DR
The Quickcreator WordPress plugin exposes API keys through an accessible text file, allowing unauthenticated attackers to obtain credentials and perform unauthorized actions like creating posts and injecting malicious scripts. This affects WordPress sites using Quickcreator plugin versions 0.0.9 through 0.1.17.
💻 Affected Systems
- Quickcreator – AI Blog Writer WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full control of the WordPress site by using exposed API keys to create administrator accounts, inject persistent malware, or deface the website.
Likely Case
Attackers create spam posts, inject XSS payloads to steal visitor credentials, or use the site for phishing campaigns.
If Mitigated
Limited impact if API keys are quickly revoked and the file is removed before exploitation.
🎯 Exploit Status
Exploitation requires only accessing a publicly accessible file and using the exposed API key.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.1.18 or later
Vendor Advisory: https://wordpress.org/plugins/quickcreator/
Restart Required: No
Instructions:
1. Update Quickcreator plugin to version 0.1.18 or later via WordPress admin panel. 2. Verify the /wp-content/plugins/quickcreator/dupasrala.txt file no longer exists or contains sensitive data.
🔧 Temporary Workarounds
Remove vulnerable file
linuxManually delete the exposed text file containing API keys
rm /path/to/wordpress/wp-content/plugins/quickcreator/dupasrala.txt
Block file access via .htaccess
allPrevent web access to the vulnerable file using Apache rewrite rules
<Files "dupasrala.txt">
Order Allow,Deny
Deny from all
</Files>
🧯 If You Can't Patch
- Disable or uninstall the Quickcreator plugin immediately
- Rotate all API keys and credentials used by the plugin
🔍 How to Verify
Check if Vulnerable:
Access https://yoursite.com/wp-content/plugins/quickcreator/dupasrala.txt in a browser. If the file exists and contains API keys, the site is vulnerable.Check Version:
wp plugin list --name=quickcreator --field=versionVerify Fix Applied:
Verify the file no longer exists or returns a 404 error, and check plugin version is 0.1.18+ in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- HTTP 200 requests to /wp-content/plugins/quickcreator/dupasrala.txt
- Unusual POST requests to WordPress REST API using quickcreator endpoints
Network Indicators:
- Outbound connections to AI services using exposed API keys
- Unusual traffic patterns from the WordPress site
SIEM Query:
source="web_logs" AND uri="/wp-content/plugins/quickcreator/dupasrala.txt" AND response="200"