CVE-2025-13681 Overview
The BFG Tools – Extension Zipper plugin for WordPress contains a Path Traversal vulnerability in all versions up to and including 1.0.7. The vulnerability exists due to insufficient input validation on the user-supplied first_file parameter in the zip() function. This flaw allows authenticated attackers with Administrator-level access or above to read the contents of arbitrary files and directories outside the intended /wp-content/plugins/ directory. Sensitive configuration files such as wp-config.php containing database credentials and authentication keys are at risk of exposure.
Critical Impact
Authenticated administrators can exploit path traversal sequences to access sensitive WordPress configuration files including wp-config.php, potentially exposing database credentials, authentication salts, and other sensitive site configuration data.
Affected Products
- BFG Tools – Extension Zipper plugin for WordPress versions up to and including 1.0.7
Discovery Timeline
- 2026-02-14 - CVE CVE-2025-13681 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2025-13681
Vulnerability Analysis
This Path Traversal vulnerability (CWE-22) affects the zip() function within the BFG Tools – Extension Zipper WordPress plugin. The function is designed to create ZIP archives of plugin files from the /wp-content/plugins/ directory. However, due to inadequate input validation on the first_file parameter, authenticated users with administrative privileges can manipulate the file path to traverse outside the intended directory scope.
The vulnerability enables access to sensitive files throughout the WordPress installation and potentially the underlying server filesystem. While the attack requires administrative authentication, compromised administrator accounts or malicious insiders could leverage this flaw to extract critical configuration data, including database connection strings and WordPress security keys stored in wp-config.php.
Root Cause
The root cause is insufficient input validation and sanitization of the first_file parameter passed to the zip() function located at line 290 in bfg-tools-extension-zipper.php. The function fails to properly validate that the requested file path remains within the intended /wp-content/plugins/ directory boundary, allowing directory traversal sequences such as ../ to escape the restricted path.
Attack Vector
The attack vector is network-based and requires authenticated access with Administrator-level privileges. An attacker must:
- Obtain valid WordPress administrator credentials
- Access the plugin's zip functionality
- Inject path traversal sequences (e.g., ../../../wp-config.php) into the first_file parameter
- Retrieve the generated ZIP archive containing the targeted sensitive files
The vulnerability is accessible through the WordPress admin interface, making it exploitable over HTTP/HTTPS connections. Technical details and vulnerable code can be reviewed in the WordPress Plugin Source Code.
Detection Methods for CVE-2025-13681
Indicators of Compromise
- Unusual ZIP file creation requests containing path traversal patterns such as ../ or ..%2F in the first_file parameter
- Access to wp-config.php or other sensitive files outside /wp-content/plugins/ through the plugin's functionality
- Unexpected file access patterns from administrative accounts targeting configuration files
- Log entries showing requests to the plugin's zip endpoint with encoded or obfuscated directory traversal sequences
Detection Strategies
- Monitor WordPress admin action logs for unusual plugin activity related to BFG Tools – Extension Zipper
- Implement Web Application Firewall (WAF) rules to detect and block path traversal patterns in request parameters
- Review web server access logs for requests containing ../ sequences targeting the plugin endpoints
- Enable file integrity monitoring on sensitive files including wp-config.php
Monitoring Recommendations
- Configure alerting for any access attempts to wp-config.php through non-standard methods
- Implement real-time monitoring of administrator actions within WordPress
- Deploy endpoint detection solutions to identify unauthorized file access patterns
- Review ZIP file generation logs for files outside expected plugin directories
How to Mitigate CVE-2025-13681
Immediate Actions Required
- Update the BFG Tools – Extension Zipper plugin to a patched version beyond 1.0.7
- Review WordPress administrator account access and ensure only trusted users have elevated privileges
- Audit recent plugin activity logs for signs of exploitation attempts
- Consider temporarily deactivating the plugin until a patch is applied
Patch Information
A security update addressing this vulnerability is available. The fix can be reviewed in the WordPress ChangeSet Update. WordPress site administrators should update to the latest version of the plugin through the WordPress admin dashboard or by downloading the patched version from the WordPress Plugin Directory. Additional vulnerability details are available in the Wordfence Vulnerability Report.
Workarounds
- Temporarily disable the BFG Tools – Extension Zipper plugin until the patch is applied
- Implement strict input validation through a WAF to block path traversal sequences (../, ..%2F, etc.)
- Restrict administrator access to trusted IP addresses only
- Move sensitive configuration files outside the web root where feasible
- Enable additional authentication factors for WordPress administrator accounts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
