CVE-2025-1322
MEDIUMCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3Description
The WP-Recall - Registration, Profile, Commerce & More plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 16.26.10 via the 'feed' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to view data from password protected, private, or draft posts that they should not have access to.
Analysis
The WP-Recall - Registration, Profile, Commerce & More plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 16.26.10 via the 'feed' shortcode due to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
Technical Context
This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. The WP-Recall - Registration, Profile, Commerce & More plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 16.26.10 via the 'feed' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to view data from password protected, private, or draft posts that they should not have access to. Affected products include: Plechevandrey Wp-Recall.
Affected Products
Plechevandrey Wp-Recall.
Remediation
A vendor patch is available. Apply the latest security update as soon as possible. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today