Skip to main content

Digages Direct Payments WP CVE-2025-49340

MEDIUM
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)
2025-12-31 audit@patchstack.com
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
4.3 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 17:15 nvd
N/A

DescriptionCVE.org

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Digages Direct Payments WP direct-payments-wp allows Retrieve Embedded Sensitive Data.This issue affects Direct Payments WP: from n/a through <= 1.3.2.

AnalysisAI

Direct Payments WP WordPress plugin through version 1.3.2 exposes embedded sensitive system information to unauthorized parties via CWE-497 exposure mechanisms, allowing attackers to retrieve confidential data without requiring authentication. The vulnerability affects all versions up to and including 1.3.2, with an EPSS score of 0.01% indicating minimal observed exploitation probability despite the information disclosure nature of the flaw.

Technical ContextAI

CWE-497 describes exposure of sensitive information to an unauthorized control sphere, typically occurring when applications store or transmit sensitive data in ways that become accessible to threat actors outside the intended security boundary. In the context of Direct Payments WP, a WordPress payment processing plugin, this vulnerability likely involves embedded credentials, API keys, transaction data, or system configuration details that are retrievable through normal plugin operation or via crafted requests. The plugin's architecture for handling direct payment processing creates multiple potential data exposure points where sensitive information intended for secure backend communication may be inadvertently exposed through frontend interfaces, logs, database entries, or API responses.

Affected ProductsAI

Digages Direct Payments WP plugin for WordPress is affected in all versions from the initial release through version 1.3.2 inclusive. The plugin is available on the WordPress plugin repository and is identified via CPE and vendor advisory at Patchstack (https://patchstack.com/database/Wordpress/Plugin/direct-payments-wp/vulnerability/wordpress-direct-payments-wp-plugin-1-3-0-sensitive-data-exposure-vulnerability).

RemediationAI

Update Direct Payments WP plugin to version 1.3.3 or later immediately to resolve the sensitive data exposure. Site administrators should navigate to WordPress Dashboard > Plugins, locate Direct Payments WP, and apply the available update. If an update version is not yet released by the plugin developer, temporarily disable the plugin until a patched version is available. After patching, conduct an audit of any payment or system data that may have been exposed through this vulnerability, particularly checking server logs, database backups, and API access logs for evidence of unauthorized data retrieval. Refer to the Patchstack advisory for additional mitigation guidance and compatibility notes.

Share

CVE-2025-49340 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy