CVE-2025-11504 HIGH

CVE-2025-11504: Quickcreator – AI Blog Writer 0.0.9 - 0.1.17 - Unauthenticated API Key Exposure

Vendor Quickcreator
Product Quickcreator – AI Blog Writer
Weakness CWE-532 · Sensitive info in logs
Published October 24, 2025
Last update October 24, 2025

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The Quickcreator – AI Blog Writer plugin for WordPress is vulnerable to Sensitive Information Exposure in versions 0.0.9 to 0.1.17 through the /wp-content/plugins/quickcreator/dupasrala.txt file. This makes it possible for unauthenticated attackers to view the plugin's API key and subsequently use that to perform actions on the site like creating new posts and injecting XSS payloads.

Explanation of Vulnerability in Simple Terms

02Summary

Quickcreator – AI Blog Writer versions 0.0.9 through 0.1.17 expose sensitive information through improper logging or data handling. An attacker on the network can read confidential data without authentication or user interaction. Update to a version newer than 0.1.17 to resolve this issue.

What an attacker can do

03Attacker Capabilities

Read sensitive information from the application without authentication.

Potential impact on your site

04Site Impact

Confidential data may be exposed to unauthenticated attackers over the network.

Conditions required to exploit

05Prerequisites

Network access to the application; no authentication or user interaction required.

Key dates

06Disclosure timeline

October 24, 2025 CVE published
October 24, 2025 Record updated