CVE-2025-2883: 
WordPress vulnerability analysis and mitigation

The Accept SagePay Payments Using Contact Form 7 plugin for WordPress is vulnerable to Sensitive Information Exposure (CVE-2025-2883) in all versions up to and including 2.0. The vulnerability exists through the publicly accessible phpinfo.php script, which allows unauthenticated attackers to view potentially sensitive information contained in the exposed file. The issue was discovered and disclosed on April 8, 2025 (NVD).

The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS v3.1 base score is 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating that the vulnerability can be exploited remotely with low attack complexity and requires no privileges or user interaction (NVD).

The vulnerability allows unauthenticated attackers to access sensitive system information through the exposed phpinfo.php file. This information disclosure could potentially reveal server configuration details, installed modules, and other sensitive system information that could be used to plan further attacks (NVD).

The vulnerability has been patched in version 2.1 of the plugin. Users are strongly advised to update to this latest version immediately. The update removes the exposed phpinfo.php file and implements proper security controls (WordPress Plugin).