CVE-2025-4222
Database Toolset <= 1.8.4 - Unauthenticated Sensitive Information Exposure via Backup Files
CVSS Score
5.9
EPSS Score
0.0%
EPSS Percentile
0th
The Database Toolset plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.4 via backup files stored in a publicly accessible location. This makes it possible for unauthenticated attackers to extract sensitive data from database backup files. An index file is present, so a brute force attack would need to be successful in order to compromise any data.
| CWE | CWE-200 |
| Vendor | neoslab |
| Product | database toolset |
| Published | May 3, 2025 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for neoslab database toolset
Be the first to know when new medium vulnerabilities affecting neoslab database toolset are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
neoslab / Database Toolset
0 โค 1.8.4
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/fa452a9a-9e26-41a1-8dea-4bafaf735bee?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/database-toolset/trunk/admin/class-database-toolset-backup.php#L76 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/database-toolset/trunk/admin/class-database-toolset-admin.php#L247 guyshavit.com: https://www.guyshavit.com/post/cve-2025-4222
Credits
Guy Shavit