CVE-2025-6722
BitFire <= 4.5 - Unauthenticated Information Exposure
The BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.5 via the bitfire_* directory that automatically gets created and stores potentially sensitive files without any access restrictions. This makes it possible for unauthenticated attackers to extract sensitive data from various files like config.ini, debug.log, and more when directory listing is enabled on the server and the ~/wp-content/plugins/index.php file is missing or ignored.
| CWE | CWE-200 |
| Vendor | bitslip6 |
| Product | bitfire security – firewall, waf, bot/spam blocker, login security |
| Published | Aug 2, 2025 |
| Last Updated | Apr 8, 2026 |
Get instant alerts for bitslip6 bitfire security – firewall, waf, bot/spam blocker, login security
Be the first to know when new medium vulnerabilities affecting bitslip6 bitfire security – firewall, waf, bot/spam blocker, login security are published — delivered to Slack, Telegram or Discord.
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N