Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.9
WordPress BFG Tools Extension Zipper Plugin Allows File Access
CVE-2025-13681
Summary
The BFG Tools – Extension Zipper plugin for WordPress has a security flaw that lets an attacker with administrator access read sensitive files. This can happen if an attacker knows the plugin's internal file paths. To fix this, update the plugin to version 1.0.8 or higher, or remove it if you don't need it.
Original title
The BFG Tools – Extension Zipper plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0.7. This is due to insufficient input validation on the user-supplied ...
Original description
The BFG Tools – Extension Zipper plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0.7. This is due to insufficient input validation on the user-supplied `first_file` parameter in the `zip()` function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files and directories outside the intended `/wp-content/plugins/` directory, which can contain sensitive information such as wp-config.php.
nvd CVSS3.1
4.9
Vulnerability type
CWE-22
Path Traversal
- https://plugins.trac.wordpress.org/browser/bfg-tools-extension-zipper/tags/1.0.7...
- https://plugins.trac.wordpress.org/browser/bfg-tools-extension-zipper/trunk/bfg-...
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5bd95df9-4355-4d57-ba4...
Published: 14 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026