Skip to main content

Templately WordPress Plugin CVE-2025-49408

CRITICAL
Insertion of Sensitive Information Into Sent Data (CWE-201)
2025-08-20 audit@patchstack.com
10.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 28, 2026 - 19:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Severity Changed
Apr 23, 2026 - 15:42 NVD
MEDIUM CRITICAL
CVSS changed
Apr 23, 2026 - 15:42 NVD
4.9 (MEDIUM) 10.0 (CRITICAL)
Analysis Generated
Mar 28, 2026 - 19:07 vuln.today
CVE Published
Aug 20, 2025 - 08:15 nvd
MEDIUM 4.9

DescriptionCVE.org

Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data. This issue affects Templately: from n/a through 3.2.7.

AnalysisAI

The Templately WordPress plugin through version 3.2.7 exposes sensitive embedded data to remote unauthenticated attackers via network-accessible endpoints. Discovery by audit@patchstack.com (likely through their WordPress security audit program). Despite a critical CVSS 10.0 score reflecting network-accessible, unauthenticated exploitation with scope change, the EPSS score of 0.04% (13th percentile) indicates extremely low observed exploitation probability in the wild. No active exploitation confirmed by CISA KEV, and no public exploit code identified at time of analysis.

Technical ContextAI

This vulnerability stems from CWE-201 (Insertion of Sensitive Information Into Sent Data), a class of information disclosure flaw where applications inadvertently embed sensitive data in responses, error messages, or output that gets transmitted to clients. Templately is a WordPress template library plugin that enables users to import and manage design templates. The plugin likely exposes embedded sensitive data - potentially API keys, configuration details, database credentials, internal paths, or user session tokens - through accessible HTTP endpoints or API responses. The CVSS scope change (S:C) indicates the vulnerable component impacts resources beyond its own security scope, suggesting that leaked credentials or tokens could provide access to external systems or other WordPress components. The CWE-201 classification distinguishes this from traditional authentication bypass or SQL injection - the flaw is architectural exposure of data that should never be transmitted, rather than improper access control to protected data.

Affected ProductsAI

Templately WordPress plugin versions up to and including 3.2.7 are confirmed vulnerable based on the NVD advisory scope statement 'from n/a through 3.2.7'. This encompasses all historical versions through the specified ceiling. The plugin is distributed through the WordPress.org repository and potentially premium channels managed by WPDeveloper. No CPE strings were provided in the source data, limiting automated asset inventory matching. The Patchstack database reference at https://patchstack.com/database/wordpress/plugin/templately/vulnerability/wordpress-templately-plugin-3-2-7-sensitive-data-exposure-vulnerability provides additional vendor-specific confirmation of affected versions.

RemediationAI

Upgrade Templately to version 3.2.8 or later immediately if such a patched version exists, though the specific fix version was not confirmed in the provided intelligence data - consult the WPDeveloper vendor advisory or Patchstack database entry at https://patchstack.com/database/wordpress/plugin/templately/vulnerability/wordpress-templately-plugin-3-2-7-sensitive-data-exposure-vulnerability for the exact patched release. If no patched version is available or upgrade is not immediately feasible, implement compensating controls: disable the Templately plugin entirely until a fix is released, restrict WordPress admin dashboard access to trusted IP ranges via web application firewall or .htaccess rules (note this may impact legitimate administrative functions), monitor WordPress access logs for unusual API endpoint requests to Templately routes, and rotate any credentials or API keys that may have been exposed through the plugin's data leakage. Review WordPress database and configuration files for any sensitive information that Templately may have cached or logged. These mitigations significantly reduce attack surface but do not eliminate the underlying CWE-201 flaw - patching remains the definitive remediation.

Share

CVE-2025-49408 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy