Broken object-level authorization in the Tutor LMS WordPress plugin before 3.9.13 allows any authenticated instructor-level user to overwrite and take over arbitrary posts or pages sitewide, including administrator-owned content. The content-builder save handler validates the request against an unrelated identifier rather than confirming the requesting user owns or is permitted to edit the target post, making the authorization check entirely ineffective. A publicly available proof-of-concept exploit exists; no active exploitation has been confirmed by CISA KEV at time of analysis, though the low barrier (instructor account only) and high integrity impact elevate real-world risk significantly.
Local privilege/impact abuse in Tencent PC Manager 18.1.30242.301 stems from an uncontrolled search path (CWE-427) in the QMUDisk kernel driver library qmudisk64.sys, letting a low-privileged local user coerce loading of an attacker-controlled library to achieve high confidentiality, integrity, and availability impact. Publicly available exploit code exists (the 'qmukiller' proof-of-concept on GitHub), but exploitation is rated high-complexity/difficult and requires local access with existing low-level privileges. No public exploit has been tied to active in-the-wild attacks, and the vendor did not respond to the disclosure, so no fix is currently available.
Stored Cross-Site Scripting in the Breeze Cache WordPress plugin (versions before 2.5.6) allows unauthenticated attackers to inject arbitrary HTML attributes into cached page output by exploiting a predictable placeholder hash format used during HTML minification. The root cause is a weak, guessable replacement token generated during the minification pipeline combined with a flawed regular expression, meaning an attacker who can submit content to the site can anticipate the placeholder pattern and craft input that survives minification as injected markup. A publicly available proof-of-concept exploit exists; this vulnerability has not been confirmed in CISA KEV at time of analysis, but the low attack complexity and unauthenticated access requirement make it a realistic opportunistic target across WordPress deployments using this plugin.
SQL injection in Jinher OA 1.0 exposes the PlanGiveOut.aspx endpoint to remote unauthenticated exploitation via the unsanitized `httpOID` parameter, enabling database enumeration, data exfiltration, and record manipulation. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no prerequisites beyond network access. A public proof-of-concept exploit has been published on GitHub (CVE-2026-15517 issue tracker), the vendor did not respond to coordinated disclosure, and no patch exists at time of analysis.
SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/edit_exam2.php` endpoint to remote unauthenticated database manipulation via the unsanitized `ID` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special preconditions, making this trivially exploitable over the network. A public exploit has been released on GitHub (no public exploit identified at time of analysis for KEV, but publicly available exploit code exists per POC data), and while the vulnerability is not listed in the CISA KEV catalog, the zero-friction attack path elevates real-world risk above what the moderate 5.5 CVSS score might suggest.
Authentication bypass in waooAI waoowaoo through version 0.4.1 allows unauthenticated remote attackers to spoof internal user identity by manipulating the x-internal-user-id HTTP request header, defeating the authentication controls implemented across multiple auth functions in the API layer. Affected are the getInternalTaskSession, getAuthSession, requireUserAuth, requireProjectAuth, and requireProjectAuthLight functions in src/lib/api-auth.ts, meaning both user-level and project-level authorization gates can be circumvented. A publicly available exploit (POC) exists via GitHub issue #200; the vendor has not yet responded to the disclosure, and no patch has been released.
SQL injection in SourceCodester Online Book Store System 1.0 exposes the admin authentication panel to remote, unauthenticated exploitation via the Username parameter in admin/login.php. A publicly available proof-of-concept - explicitly titled 'SQL Injection Leading to Authentication Bypass' - demonstrates that an attacker can bypass admin login entirely without valid credentials. No active exploitation is confirmed by CISA KEV, but the combination of a publicly released exploit and a trivially low attack complexity significantly elevates real-world risk above what the base CVSS 4.0 score of 6.9 suggests.
Information disclosure in WuzhiCMS up to version 4.1.0 exposes sensitive server-side data through the Attachment API's `config/listimage` function, reachable at `/index.php?m=attachment&f=index&v=upload`. Remote unauthenticated attackers can exploit this endpoint without any privileges or user interaction, as confirmed by a publicly available proof-of-concept published via a GitHub issue report. The vendor has not responded to the disclosure, leaving no patch available and all deployments exposed.
Missing authorization in WP Job Portal WordPress plugin before 2.5.5 allows any self-registered subscriber to approve, feature, or reject arbitrary job listings owned by other users, bypassing both capability and ownership checks entirely. The subscriber role is self-registerable on most WordPress sites, meaning an unauthenticated attacker can trivially obtain the access level needed to exploit this flaw with no admin interaction required. A publicly available proof-of-concept exists; no CISA KEV listing indicates confirmed mass exploitation at time of analysis.
Missing ownership verification in Tutor LMS WordPress plugin before 3.9.13 allows any authenticated subscriber-level user to overwrite other students' quiz attempt records, including their scores and pass/fail status. The flaw is an insecure direct object reference (IDOR) pattern: the plugin writes to quiz attempts without confirming the requesting user owns that attempt. A public exploit exists per WPScan, meaning the technique is documented and reproducible; however, this CVE is not listed in the CISA KEV catalog, indicating no confirmed mass exploitation at time of analysis.
Arbitrary file write via symlink attack in FlashAttention's build toolchain (through 2.8.3.post1) allows a local low-privileged attacker to redirect NVIDIA archive extraction to attacker-controlled paths by pre-planting a symlink in the predictable cache directory before a victim initiates a build. The hopper/setup.py download_and_copy() function called tarfile.extractall() without symlink validation or path confinement, meaning extracted NVIDIA toolchain binaries could be written anywhere accessible to the victim's process. No active exploitation is confirmed in CISA KEV, but a publicly available proof-of-concept exists at GitHub issue #2637 and a vendor patch is available in commit 0816ef1.
PHP object injection in the 'Database for Contact Form 7, WPforms, Elementor forms' WordPress plugin (all versions before 1.5.2) permits unauthenticated attackers to embed malicious serialized PHP objects via the entry-editor file-field path, which are instantiated server-side when an administrator views the stored form entry. This is an incomplete remediation of two prior CVEs (CVE-2025-7384 and CVE-2026-2599) - earlier patches hardened other deserialization paths within the same plugin while this specific code route was overlooked. A publicly available exploit exists; no active exploitation is confirmed by CISA KEV at time of analysis.
The WP Job Portal WordPress plugin before 2.5.5 does not verify ownership when returning an employer's contact email for a given job, allowing authenticated users with a subscriber-level (self-registerable) account to read other employers' private account email addresses by enumerating job identifiers.
Tutor LMS WordPress plugin (all versions before 3.9.13) allows authenticated users with subscriber-level access to post auto-approved comments containing arbitrary HTML and external links on any site content, bypassing the comment moderation queue entirely. The vulnerable comment handler performs no authorization check and no post-target validation before creating comments, making this exploitable by any registered user on sites with open registration - a common LMS deployment pattern. A publicly available POC from WPScan exists; no CISA KEV listing indicates confirmed mass exploitation, but the low privilege bar and POC availability make this a realistic content-integrity threat.
Path traversal via the `lang` query parameter in Rejetto HFS 3.0.0 through 3.2.0 enables remote unauthenticated attackers to read JSON files outside the application's designated shared folders. Exploitation is constrained by the application's own file-loading logic - only files matching a narrow naming convention and JSON format are reachable, limiting impact to partial information disclosure rather than arbitrary file read. Vendor-released patch v3.2.1 is available; no KEV listing or confirmed public exploit exists, though the same release addresses additional higher-severity vulnerabilities noted in the release notes.
Improper WebSocket authentication in will-moss Isaiah up to version 1.36.9 permits unauthenticated remote attackers to establish authenticated WebSocket sessions against the Docker management interface. The flaw resides in app/main.go within the WebSocket Connection Authentication component, where authentication controls can be bypassed, granting access to Docker management functionality without valid credentials. No public exploit has been identified at time of analysis, and an upstream fix exists as a pending pull request (PR #36) that has not yet been merged into a released version.
Username enumeration in Rejetto HFS 3.0.0-3.2.0 exposes valid account names-including the default admin account-to remote unauthenticated attackers through observably different login endpoint responses (CWE-204). The vendor release notes for v3.2.1 indicate this is one of multiple related vulnerabilities that collectively could allow an attacker to gain administrative access, suggesting this flaw may serve as a reconnaissance enabler in a broader attack chain. No public exploit is identified at time of analysis; vendor-released patch v3.2.1 is available.
Unrestricted file upload in Ragic Enterprise Cloud Database exposes all versions to unauthenticated remote exploitation, allowing attackers to plant malicious files that are subsequently served to authenticated platform users for download. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the application performs no meaningful validation of file type, content, or extension before persisting uploads. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, but the zero-authentication requirement and network-accessible attack vector make this a low-barrier, high-supply-chain-risk issue in environments where Ragic is used for file collaboration.
Authorization bypass in OpenClaw's plugin install wrappers (versions 2026.6.5 through 2026.6.8) allows a lower-trust authenticated caller to skip the install policy check, executing or persisting plugin actions beyond their intended authorization scope. The impact is bounded by operator configuration - deployments where the plugin install feature is disabled or unreachable are not affected. No public exploit code has been identified and the vulnerability does not appear in CISA KEV; vendor-released fix is available in version 2026.6.9.
Rate-limiting bypass in HedgeDoc prior to 1.11.0 permits unauthenticated remote attackers to circumvent brute-force protections on the /login and /register endpoints by injecting arbitrary cf-connecting-ip headers, cycling apparent source IPs per request. This enables unlimited credential-stuffing attacks against login and bulk registration of throwaway accounts. No public exploit code identified at time of analysis; the issue is confirmed fixed in version 1.11.0 per the vendor's GitHub Security Advisory.
Missing authorization in Isaiah's Master WebSocket Handler allows remote unauthenticated attackers to manipulate the Agent argument in the Server.Handle function, bypassing access controls over Docker management operations. All versions of the will-moss/isaiah project up to and including 1.36.9 are affected. No public exploit or active exploitation has been identified at time of analysis; a fix pull request (#35) exists upstream but awaits acceptance.
Out-of-bounds read in Blender 3.0.0 through 5.1.2 allows an attacker to crash the application or disclose heap memory contents by convincing a user to open a specially crafted .blend file containing a malicious member_index value in the SDNA block. The vulnerability stems from missing bounds validation on a signed short index used directly as an array subscript in sdna_expand_names(), enabling both denial-of-service via SIGSEGV and limited heap memory disclosure. No public exploit code or active exploitation has been identified at time of analysis, but the file-based attack vector makes social engineering a realistic delivery mechanism.
HedgeDoc's GitHub Gist export feature exposes private and protected note content to attacker-controlled GitHub accounts via OAuth2 state parameter forgery. Versions prior to 1.11.0 generated an OAuth2 state token during the Gist export flow but validated only its presence - not its binding to the initiating user session - enabling a cross-site request forgery attack. An attacker who tricks a logged-in victim into clicking a crafted callback URL can redirect the victim's note export to the attacker's own GitHub Gist, bypassing any note visibility controls. No public exploit code or CISA KEV listing is identified at time of analysis, but a confirmed patch exists in version 1.11.0.
Blind SQL injection in decidim-admin's organization user search endpoint allows authenticated organization administrators to execute arbitrary PostgreSQL expressions inside an ORDER BY clause via the `term` query parameter. The flaw spans decidim-admin versions prior to 0.30.9, 0.31.5, and 0.32.0, and is exploitable using time-based payloads such as `pg_sleep` that return HTTP 200 while leaking data through measurable response-time deltas. No public exploit tool is identified at time of analysis and the vulnerability is not in CISA KEV, but the advisory provides working reproduction steps with a concrete payload, confirming practical exploitability.
Mattermost fails to invalidate OAuth refresh tokens when a user account is deactivated, enabling former users - or any attacker who possesses a valid refresh token - to continue minting functional access tokens against the OAuth refresh token grant endpoint indefinitely after access revocation should have taken effect. All three actively maintained release branches are affected (10.11.x, 11.6.x, 11.7.x), making this a cross-branch session-persistence flaw with high confidentiality and integrity impact on any workspace relying on OAuth-integrated access control. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, though the attack path requires minimal skill for any party already holding a refresh token.
Authorization bypass in ChurchCRM prior to version 7.4.0 exposes the full congregation member directory to any low-privileged authenticated user via the unprotected POST /CSVCreateFile.php endpoint. The endpoint streams a CSV containing complete PII for every Person and Family record in the database without performing a dedicated function-level authorization check, relying instead on a legacy coarse gate that any single non-admin permission flag satisfies. No public exploit has been identified at time of analysis, but the trivially low exploitation barrier - any valid low-privilege account - makes this a high-priority remediation for organizations managing sensitive congregation data.
Private data exports in Decidim (decidim-core) are protected at the wrapper route level but expose reusable, session-unbound Active Storage blob redirect URLs that any party who obtains the URL can replay without authentication. The flaw affects all users of the `download_your_data` feature across three version lines of the decidim-core gem, allowing complete disclosure of a user's personal data export - GDPR-scope data - through passive leakage channels including browser history, proxy logs, referrer headers, screenshots, or shared support transcripts. No public exploit has been identified at time of analysis, but the vendor published detailed step-by-step reproduction instructions in the security advisory, making the attack straightforward for any party who intercepts the signed URL.
{env}/releases/{releaseId}` endpoint fetches and returns a release payload without invoking `UserPermissionValidator.shouldHideConfigToCurrentUser(...)`, meaning a low-privileged user who supplies a valid release ID belonging to a restricted application receives the full configuration - potentially including embedded credentials, database connection strings, and service endpoints. No public exploit has been identified at time of analysis, and exploitation is gated by a non-default configuration setting (`configView.memberOnly.envs`), but the practical data sensitivity of Apollo configuration stores makes this a meaningful confidentiality risk.
Tenant data leakage in the Tempo Operator gateway component (Red Hat OpenShift Distributed Tracing 3) allows an authenticated low-privileged user to read span attributes from namespaces belonging to other tenants. The flaw exists because namespace-scoped redaction is inconsistently applied across certain query API response paths when query RBAC is enabled, meaning the authorization control exists but is not uniformly enforced. No public exploit code has been identified and this CVE is not listed in CISA KEV, but the high confidentiality impact and low attack complexity make it a meaningful risk in shared multi-tenant tracing deployments.
Missing Authorization in NSquared's Simply Schedule Appointments WordPress plugin (versions through 1.6.11.11) allows unauthenticated network attackers to bypass access control security levels, yielding limited confidentiality and integrity impact against affected WordPress sites. Reported by Patchstack under CWE-862, the flaw is automatable per CISA's SSVC framework, meaning it can be exploited at scale without human interaction. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis, but the unauthenticated, low-complexity attack surface warrants prompt patching.
Unauthenticated broken access control in the Simply Schedule Appointments WordPress plugin (versions through 1.6.12.4) allows remote attackers to perform unauthorized actions against appointment data, resulting in low-integrity and low-availability impacts. The plugin by NSquared fails to enforce proper authorization checks on one or more endpoints, enabling exploitation without any credentials against default installations. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the low attack complexity and zero privilege requirement lower the barrier for opportunistic abuse.
Stored Cross-Site Scripting (XSS) in the merkulove Speaker WordPress plugin (versions through 4.1.13) allows an authenticated low-privilege user to inject and persistently store malicious scripts that execute in other users' browsers upon page visitation. The scope change in the CVSS vector (S:C) confirms that successful exploitation crosses the security boundary from the plugin's context into visiting users' browser sessions, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or active exploitation (CISA KEV) has been identified at the time of analysis, and EPSS data was not supplied, but the low attack complexity keeps this a credible risk on any WordPress site where untrusted contributors have posting privileges.
DOM-Based Cross-Site Scripting in the Envision Page Builder WordPress plugin (versions through 0.22) allows low-privileged authenticated attackers to inject and execute malicious JavaScript in victim browsers via unsanitized page builder input. The scope change (S:C) in the CVSS vector confirms the payload escapes the plugin's own context and can affect the broader WordPress environment, including the admin panel. No public exploit code or active exploitation has been identified at time of analysis, but the stored-or-reflected DOM injection path makes this a realistic avenue for session hijacking or privilege escalation within WordPress installations.
Stored cross-site scripting in the SupportCandy WordPress plugin (versions through 3.4.8) allows a low-privileged authenticated attacker to inject persistent malicious scripts that execute in the browser of any user - likely an administrator or support agent - who subsequently views the tainted content. The scope change (S:C in CVSS) reflects that injected script breaks out of the plugin's trust boundary and runs in the victim's full browser session, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code has been identified at time of analysis, and the vulnerability has not been listed in the CISA Known Exploited Vulnerabilities catalog.
Authentication bypass in VillaTheme's Abandoned Cart Recovery for WooCommerce (versions through 1.1.12) allows unauthenticated remote attackers to access protected functionality via an alternate authentication path or channel (CWE-288). The CVSS vector confirms network-reachable, zero-complexity exploitation requiring no privileges or user interaction, yielding partial confidentiality and integrity compromise. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and unauthenticated nature elevate practical risk for any WooCommerce store running this plugin.
Cross-site scripting in the Ad Inserter WordPress plugin (Spacetime, versions through 2.8.11) allows authenticated low-privilege users to inject malicious JavaScript into pages served to other site visitors. The CVSS scope-change metric (S:C) confirms the vulnerability crosses the security boundary from the plugin into victims' browser contexts, enabling session theft or unauthorized action execution on behalf of targeted users. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this in a moderate-priority category for WordPress operators running affected versions.
Insecure Direct Object Reference (IDOR) in Tutor LMS WordPress plugin allows authenticated low-privilege users to bypass authorization controls by manipulating user-controlled keys, resulting in unauthorized modification of LMS objects such as courses, lessons, or student records. Affected versions span all releases through 3.9.13 by Themeum. No confirmed active exploitation (KEV) or public exploit code has been identified at time of analysis, but the low attack complexity and wide WordPress deployment surface make this a credible integrity risk for any site running an unpatched version.
Missing authorization in Razorpay Payment Links for WooCommerce (versions through 2.1.4) allows unauthenticated network attackers to invoke privileged plugin actions without any authentication check. The flaw stems from CWE-862, where one or more AJAX endpoints or REST routes in the plugin fail to verify the caller's identity or capability before executing sensitive operations, resulting in low-severity integrity and availability impacts against WooCommerce payment link workflows. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.
Stored cross-site scripting in the Author Box WP Lens WordPress plugin (versions through 2.1.5) enables authenticated low-privilege users to persist malicious JavaScript payloads that execute in the browsers of any user who views an affected page, including administrators. The CVSS scope change (S:C) reflects that the injected script runs in a different security context than where it was stored, meaning a contributor-level attacker can target higher-privileged victims browsing the same site. No public exploit identified at time of analysis and no CISA KEV listing; however, multi-author WordPress deployments with untrusted contributors face realistic risk of privilege escalation via session hijacking.
Missing authorization controls in the Client Invoicing by Sprout Invoices WordPress plugin (versions through 20.8.13) allow low-privileged authenticated users to access confidential invoice data without proper permission checks. The flaw (CWE-862) enables a logged-in WordPress user with minimal privileges to bypass intended access control restrictions and retrieve sensitive financial or client information managed by the plugin. No public exploit or active exploitation has been identified at time of analysis, but the network-accessible attack vector and high confidentiality impact make this a meaningful exposure for sites hosting sensitive invoicing workflows.
Stock Locations for WooCommerce plugin (versions through 3.1.8) exposes one or more privileged operations without performing authorization checks, allowing authenticated low-privileged WordPress users to manipulate stock location data they should have no rights to modify. Rooted in CWE-862 (Missing Authorization), the flaw means the plugin accepts and executes sensitive requests based solely on authentication rather than verifying the requester's WordPress capability level. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low-privilege access requirement and straightforward network exploitation path make it a realistic risk for any multi-location WooCommerce store running the affected plugin.
Stored Cross-Site Scripting in QuantumCloud's WoowBot (ChatBot for eCommerce) WordPress plugin allows authenticated low-privileged users to inject persistent malicious scripts that execute in victims' browsers when stored content is rendered. Versions through 4.6.1 are affected, with a scope change confirmed by the CVSS vector (S:C), meaning attacker-controlled JavaScript runs in the context of other users - including administrators. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Missing authorization controls in the Codemenschen Gift Vouchers WordPress plugin (versions through 4.6.9) allow unauthenticated remote attackers to perform unauthorized actions against voucher-related functionality, resulting in low-severity integrity and availability impact. The flaw stems from CWE-862 (Missing Authorization), meaning the plugin fails to verify whether a requesting user has rights to access specific functionality - effectively treating restricted endpoints as publicly accessible. No public exploit or CISA KEV listing is identified at time of analysis, but the unauthenticated attack vector (PR:N, AV:N) lowers the bar for opportunistic exploitation significantly.
Broken access control in the Peach Payments Gateway WordPress plugin (all versions through 4.0.2) permits remote unauthenticated attackers to invoke plugin functionality without valid authorization, bypassing intended access control security levels. Rooted in CWE-862 (Missing Authorization) and reported by Patchstack, the flaw enables limited integrity and availability impact against WooCommerce-powered sites using this plugin. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the unauthenticated, low-complexity attack vector warrants prompt remediation for any site processing payments through this gateway.
Missing authorization in the FundEngine WordPress fundraising plugin (versions through 1.7.6) permits unauthenticated remote attackers to exploit incorrectly configured access control, resulting in partial data integrity and availability impact. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms low-complexity, unauthenticated network exploitation with no user interaction required. No active exploitation is confirmed in the CISA KEV catalog, and no public exploit code has been identified at the time of this analysis.
Missing authorization in the Booking and Rental Manager WordPress plugin (≤ 2.6.9) exposes unauthenticated remote attackers to broken access control, enabling unauthorized modification of booking data and partial disruption of plugin availability. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication or user interaction against any internet-facing WordPress/WooCommerce site running the affected plugin. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity makes this straightforwardly exploitable once a target is identified.
Stored cross-site scripting in the wpdesk Flexible Refund and Return Order for WooCommerce plugin (versions through 1.0.51) allows authenticated low-privileged users - such as registered WooCommerce customers - to inject persistent malicious scripts that execute in the browsers of other users, including administrators who review refund submissions. The scope-changed CVSS vector (S:C) confirms impact crosses security boundaries, enabling session hijacking, credential theft, or unauthorized administrative actions against shop owners. No public exploit code has been identified at time of analysis, and this vulnerability has not been listed in the CISA KEV catalog.
Missing Authorization (CWE-862) in the Event Tickets Manager for WooCommerce WordPress plugin versions through 1.5.5 allows unauthenticated remote attackers to exploit incorrectly configured access control levels, resulting in limited but unauthorized modification of data and disruption of availability. The CVSS vector (PR:N/UI:N) confirms exploitation requires no authentication and no user interaction, lowering the barrier for abuse against any WordPress site with the plugin installed and active. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Missing Authorization (CWE-862) in the Tourfic WordPress plugin through version 2.22.5 permits authenticated low-privilege users to exploit incorrectly configured access control levels, resulting in unauthorized high-confidentiality data exposure. The CVSS vector (PR:L, C:H, I:N) confirms that any logged-in WordPress user - such as a customer or subscriber - can read sensitive data reserved for higher-privileged roles without modifying or disrupting it. No public exploit or CISA KEV listing has been identified at time of analysis, but the low attack complexity makes exploitation straightforward once the unprotected endpoint is located.
Sensitive system information exposure in the WooCommerce PDF Invoice Builder WordPress plugin (versions through 2.0.8) enables authenticated low-privilege users to retrieve embedded sensitive data via network requests. Classified under CWE-497, the flaw allows an attacker with minimal WordPress credentials - such as a customer or subscriber account - to access system-level or configuration data that should be restricted to administrative contexts. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the high confidentiality impact and low privilege requirement make it a meaningful risk for WooCommerce merchants running affected plugin versions.