CVE-2025-49340
Lifecycle Timeline
2Description
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Digages Direct Payments WP direct-payments-wp allows Retrieve Embedded Sensitive Data.This issue affects Direct Payments WP: from n/a through <= 1.3.2.
Analysis
Direct Payments WP WordPress plugin through version 1.3.2 exposes embedded sensitive system information to unauthorized parties via CWE-497 exposure mechanisms, allowing attackers to retrieve confidential data without requiring authentication. The vulnerability affects all versions up to and including 1.3.2, with an EPSS score of 0.01% indicating minimal observed exploitation probability despite the information disclosure nature of the flaw.
Technical Context
CWE-497 describes exposure of sensitive information to an unauthorized control sphere, typically occurring when applications store or transmit sensitive data in ways that become accessible to threat actors outside the intended security boundary. In the context of Direct Payments WP, a WordPress payment processing plugin, this vulnerability likely involves embedded credentials, API keys, transaction data, or system configuration details that are retrievable through normal plugin operation or via crafted requests. The plugin's architecture for handling direct payment processing creates multiple potential data exposure points where sensitive information intended for secure backend communication may be inadvertently exposed through frontend interfaces, logs, database entries, or API responses.
Affected Products
Digages Direct Payments WP plugin for WordPress is affected in all versions from the initial release through version 1.3.2 inclusive. The plugin is available on the WordPress plugin repository and is identified via CPE and vendor advisory at Patchstack (https://patchstack.com/database/Wordpress/Plugin/direct-payments-wp/vulnerability/wordpress-direct-payments-wp-plugin-1-3-0-sensitive-data-exposure-vulnerability).
Remediation
Update Direct Payments WP plugin to version 1.3.3 or later immediately to resolve the sensitive data exposure. Site administrators should navigate to WordPress Dashboard > Plugins, locate Direct Payments WP, and apply the available update. If an update version is not yet released by the plugin developer, temporarily disable the plugin until a patched version is available. After patching, conduct an audit of any payment or system data that may have been exposed through this vulnerability, particularly checking server logs, database backups, and API access logs for evidence of unauthorized data retrieval. Refer to the Patchstack advisory for additional mitigation guidance and compatibility notes.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today