CVE-2025-4222: 
WordPress vulnerability analysis and mitigation

The Database Toolset plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 1.8.4. The vulnerability was disclosed on May 2, 2025, and is tracked as CVE-2025-4222. The issue stems from backup files being stored in a publicly accessible location, which allows unauthenticated attackers to potentially access sensitive database backup data (NVD CVE, Wiz Report).

The vulnerability has been assigned a CVSS v3.1 score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. This indicates that while the vulnerability can be exploited remotely (AV:N) and requires no privileges (PR:N) or user interaction (UI:N), it does have high attack complexity (AC:H). The impact is limited to confidentiality (C:H), with no impact on integrity or availability. An index file is present, requiring successful brute force attempts to compromise data (NVD CVE).

If successfully exploited, attackers could gain unauthorized access to sensitive database backup files. These backups potentially contain confidential information such as user data, configuration settings, and other critical database contents. While the presence of an index file provides some protection, successful brute force attempts could lead to data exposure (Wiz Report).

Website administrators running the Database Toolset plugin should immediately update to a version newer than 1.8.4 if available. In the interim, it is recommended to implement additional access controls or restrictions on the backup file directory to prevent unauthorized access (Wiz Report).