CVE-2025-4222: Database Toolset <= 1.8.4 - Unauthenticated Sensitive Information Exposure via Backup Files

5.9 CVSS

Description

The Database Toolset plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.4 via backup files stored in a publicly accessible location. This makes it possible for unauthenticated attackers to extract sensitive data from database backup files. An index file is present, so a brute force attack would need to be successful in order to compromise any data.

Classification

CVE ID: CVE-2025-4222

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.9

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem Types

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Affected Products

Vendor: neoslab

Product: Database Toolset

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.07% (probability of being exploited)

EPSS Percentile: 22.44% (scored less or equal to compared to others)

EPSS Date: 2025-05-31 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-4222
https://www.wordfence.com/threat-intel/vulnerabilities/id/fa452a9a-9e26-41a1-8dea-4bafaf735bee?source=cve
https://plugins.trac.wordpress.org/browser/database-toolset/trunk/admin/class-database-toolset-backup.php#L76
https://plugins.trac.wordpress.org/browser/database-toolset/trunk/admin/class-database-toolset-admin.php#L247

Timeline

2025-05-03 03:40:19 UTC
CVE

Database Toolset <= 1.8.4 - Unauthenticated Sensitive Information Exposure via Backup Files