CVE-2025-11504: 
WordPress vulnerability analysis and mitigation

The Quickcreator – AI Blog Writer plugin for WordPress has been identified with a Sensitive Information Exposure vulnerability (CVE-2025-11504) affecting versions 0.0.9 to 0.1.17. The vulnerability was discovered and disclosed on October 24, 2025, and allows unauthenticated attackers to access sensitive API key information through the /wp-content/plugins/quickcreator/dupasrala.txt file (NVD NIST).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The weakness has been categorized as CWE-532 (Insertion of Sensitive Information into Log File). The technical issue stems from improper protection of the API key stored in a publicly accessible text file (NVD NIST).

The exposure of the API key enables unauthorized attackers to perform various actions on the affected WordPress sites, including creating new posts and potentially injecting XSS payloads. This compromises the security of the content management system and could lead to unauthorized content creation and potential cross-site scripting attacks (NVD NIST).

The vulnerability has been addressed in version 0.1.18 of the Quickcreator plugin. Users are strongly advised to update their plugin to this latest version to mitigate the security risk (WordPress Plugin).