Templately WordPress Plugin CVE-2025-49408
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data. This issue affects Templately: from n/a through 3.2.7.
AnalysisAI
The Templately WordPress plugin through version 3.2.7 exposes sensitive embedded data to remote unauthenticated attackers via network-accessible endpoints. Discovery by audit@patchstack.com (likely through their WordPress security audit program). Despite a critical CVSS 10.0 score reflecting network-accessible, unauthenticated exploitation with scope change, the EPSS score of 0.04% (13th percentile) indicates extremely low observed exploitation probability in the wild. No active exploitation confirmed by CISA KEV, and no public exploit code identified at time of analysis.
Technical ContextAI
This vulnerability stems from CWE-201 (Insertion of Sensitive Information Into Sent Data), a class of information disclosure flaw where applications inadvertently embed sensitive data in responses, error messages, or output that gets transmitted to clients. Templately is a WordPress template library plugin that enables users to import and manage design templates. The plugin likely exposes embedded sensitive data - potentially API keys, configuration details, database credentials, internal paths, or user session tokens - through accessible HTTP endpoints or API responses. The CVSS scope change (S:C) indicates the vulnerable component impacts resources beyond its own security scope, suggesting that leaked credentials or tokens could provide access to external systems or other WordPress components. The CWE-201 classification distinguishes this from traditional authentication bypass or SQL injection - the flaw is architectural exposure of data that should never be transmitted, rather than improper access control to protected data.
Affected ProductsAI
Templately WordPress plugin versions up to and including 3.2.7 are confirmed vulnerable based on the NVD advisory scope statement 'from n/a through 3.2.7'. This encompasses all historical versions through the specified ceiling. The plugin is distributed through the WordPress.org repository and potentially premium channels managed by WPDeveloper. No CPE strings were provided in the source data, limiting automated asset inventory matching. The Patchstack database reference at https://patchstack.com/database/wordpress/plugin/templately/vulnerability/wordpress-templately-plugin-3-2-7-sensitive-data-exposure-vulnerability provides additional vendor-specific confirmation of affected versions.
RemediationAI
Upgrade Templately to version 3.2.8 or later immediately if such a patched version exists, though the specific fix version was not confirmed in the provided intelligence data - consult the WPDeveloper vendor advisory or Patchstack database entry at https://patchstack.com/database/wordpress/plugin/templately/vulnerability/wordpress-templately-plugin-3-2-7-sensitive-data-exposure-vulnerability for the exact patched release. If no patched version is available or upgrade is not immediately feasible, implement compensating controls: disable the Templately plugin entirely until a fix is released, restrict WordPress admin dashboard access to trusted IP ranges via web application firewall or .htaccess rules (note this may impact legitimate administrative functions), monitor WordPress access logs for unusual API endpoint requests to Templately routes, and rotate any credentials or API keys that may have been exposed through the plugin's data leakage. Review WordPress database and configuration files for any sensitive information that Templately may have cached or logged. These mitigations significantly reduce attack surface but do not eliminate the underlying CWE-201 flaw - patching remains the definitive remediation.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today