What is the CVSS score of CVE-2024-32825?

CVE-2024-32825 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.3%.

Which versions of Simply Static are affected by CVE-2024-32825?

Simply Static WordPress plugin (versions 3.1.3 and earlier) contains a sensitive information disclosure vulnerability that could expose confidential business data through static site output, creating…

Is there a public PoC exploit available for CVE-2024-32825?

Yes, a public proof-of-concept exploit is available for CVE-2024-32825. Prioritise patching immediately. EPSS: 0.3%.

How to fix or mitigate CVE-2024-32825?

Within 24 hours: Identify and inventory all WordPress installations using Simply Static plugin and their versions; assess what sensitive data exists in generated static output; review access logs for suspicious activity. Within 7 days: Implement access controls (authentication, IP restrictions, WAF rules) to generated static directories; review plugin configuration to minimize data exposure; consider deactivating the plugin if not business-critical. Within 30 days: Monitor vendor advisories for security patch release; test patched version in non-production environment; schedule deployment of security update when available.

Simply Static CVE-2024-32825

HIGH

Insertion of Sensitive Information Into Sent Data (CWE-201)

2024-04-24 audit@patchstack.com

Information Disclosure

7.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

CVSS changed

Apr 23, 2026 - 15:22 NVD

7.5 (HIGH)

CVE Published

Apr 24, 2024 - 08:15 nvd

N/A

DescriptionCVE.org

Insertion of Sensitive Information Into Sent Data vulnerability in Simply Static Simply Static simply-static.This issue affects Simply Static: from n/a through <= 3.1.3.

AnalysisAI

Sensitive information disclosure in the Simply Static WordPress plugin (versions up to and including 3.1.3) allows remote unauthenticated attackers to access data that should not be exposed in generated static site output. Publicly available exploit code exists, though EPSS scoring (0.29%, 53rd percentile) suggests exploitation interest is modest. The flaw was reported through Patchstack's audit program and is tagged as an information disclosure issue.

Technical ContextAI

Simply Static is a WordPress plugin that converts a dynamic WordPress site into a static HTML export, which is then deployed to hosting providers or CDNs. The root cause is CWE-201 (Insertion of Sensitive Information Into Sent Data), meaning the plugin includes data in its output (static export, HTTP responses, or generated files) that was never intended to be publicly accessible. Because static site generators traverse and serialize WordPress content, configuration, or internal state, any over-broad inclusion logic can leak credentials, internal paths, draft content, or configuration data into the generated artifacts that get published.

Affected ProductsAI

The Simply Static WordPress plugin (vendor slug: simply-static) is affected in all versions from an unspecified starting point through and including 3.1.3. No CPE string was provided in the input data, and no vendor advisory URL was supplied beyond the Patchstack reporter attribution; Patchstack's vulnerability database (patchstack.com) is the authoritative reference for this disclosure.

RemediationAI

Upgrade the Simply Static plugin to a version newer than 3.1.3 - the description indicates the issue affects versions up to and including 3.1.3, implying a fixed release exists in the 3.1.4+ line, though no exact fix version was independently confirmed in the input data; verify the current patched version at the Patchstack advisory and the WordPress.org plugin page before deploying. As a compensating control until patching, deactivate the Simply Static plugin (trade-off: static export functionality is lost), restrict the plugin's admin interface and any generated export download endpoints via web server ACLs or a WAF rule, and audit previously generated static exports for inadvertently included sensitive data such as configuration files, credentials, or non-public content, removing or regenerating them after the upgrade.

CVE-2024-32825 vulnerability details – vuln.today

Back

Simply Static CVE-2024-32825

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code