WordPress Plugin Vulnerabilities

Error Log Viewer by BestWebSoft < 1.1.7 - Authenticated (Administrator+) Arbitrary File Read

Description

The Error Log Viewer by BestWebSoft plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.1.6 via the rrrlgvwr_get_file function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

Affects Plugins

Plugin icon
error-log-viewer
Fixed in 1.1.7

References

CVE
CVE-2025-9950
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9455eccb-9f32-4e4e-8fe4-f345bf6e8da7

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
4.9 (medium)

Miscellaneous

Original Researcher
Duc Manh
Verified
No
WPVDB ID
de9ce8ed-03f2-4144-b4ff-8ca01abd1d67

Timeline

Publicly Published
2025-10-10 (about 7 months ago)
Added
2025-10-10 (about 7 months ago)
Last Updated
2025-10-14 (about 6 months ago)

Other

Published
Title
Published
2026-04-02
Title
Perfmatters < 2.6.0 - Authenticated (Subscriber+) Arbitrary File Deletion via 'delete' Parameter
Published
2026-04-27
Title
WP Maps < 4.9.3 - Subscriber+ Local File Inclusion
Published
2018-06-12
Title
Redirection < 2.8 - Authenticated Local File Inclusion
Published
2025-09-29
Title
All in One Music Player <= 1.3.1 - Authenticated (Contributor+) Path Traversal via theme Parameter
Published
2014-08-01
Title
wp-amasin-the-amazon-affiliate-shop 0.9.6 - reviews.php url Parameter Local File Inclusion