CVE-2025-6722: 
WordPress vulnerability analysis and mitigation

The BitFire Security plugin for WordPress (Firewall, WAF, Bot/Spam Blocker, Login Security) contains a Sensitive Information Exposure vulnerability (CVE-2025-6722) affecting all versions up to and including 4.5. The vulnerability was discovered and reported by Wordfence on August 1, 2025, and was last modified on August 5, 2025 (NVD).

The vulnerability stems from the bitfire_* directory that is automatically created during plugin installation. This directory stores potentially sensitive files without proper access restrictions. When directory listing is enabled on the server, the vulnerability allows unauthenticated attackers to access sensitive data including configuration files (config.ini) and log files (debug.log). The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, and is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

The vulnerability allows unauthorized access to sensitive information stored in the BitFire Security plugin's directory. Attackers can potentially access configuration files and log data, which might contain sensitive information about the website's security setup and system details (NVD).

A fix has been implemented using file rewrite to prevent unauthorized access to sensitive files, as evidenced by changes in the WordPress plugin repository on July 28, 2025 (WordPress Plugin).