– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-13681:
This vulnerability is an authenticated path traversal in the BFG Tools – Extension Zipper WordPress plugin. The flaw allows attackers with Administrator-level access to read arbitrary files and directories outside the intended /wp-content/plugins/ directory. The vulnerability affects all plugin versions up to and including 1.0.7, with a CVSS score of 4.9.

Root Cause:
The vulnerability exists in the zip() function at lines 201-204 of bfg-tools-extension-zipper.php. The function insufficiently validates the user-supplied ‘first_file’ parameter. The code constructs an absolute path by concatenating the plugins directory with the unsanitized ‘first_file’ value using $plugins_dir . ltrim( $first, ‘/’ ). This allows directory traversal sequences like ‘../../’ to escape the intended plugin directory. The plugin then uses plugin_dir_path() on this manipulated path, enabling access to arbitrary filesystem locations.

Exploitation:
An authenticated attacker with Administrator privileges submits a POST request to /wp-admin/admin-post.php with action=bfgtoexz_zip. The attacker manipulates the first_file parameter with directory traversal sequences. A payload like ‘../../../../wp-config.php’ causes the plugin to resolve a path outside the plugins directory. The plugin then attempts to create a ZIP archive from this location, potentially exposing sensitive files like wp-config.php, .htaccess, or other configuration files.

Patch Analysis:
The patch in version 1.0.8 adds validation to ensure the resolved path remains within the plugins directory. The fix introduces a check that compares the normalized source path against the expected plugins directory structure. The code now verifies that the resolved $src path starts with the $plugins_dir path and contains no directory traversal sequences. This prevents attackers from escaping the intended directory boundary.

Impact:
Successful exploitation allows attackers to read sensitive files outside the plugin directory. This includes WordPress configuration files (wp-config.php containing database credentials), server configuration files (.htaccess, .env), and other application files. While the vulnerability requires Administrator access, it enables information disclosure that could facilitate further attacks, including database compromise and privilege escalation.