Skip to main content

CVE-2025-59003

MEDIUM
Insertion of Sensitive Information Into Sent Data (CWE-201)
2025-12-31 audit@patchstack.com
5.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.8 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 29, 2026 - 10:22 NVD
5.8 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 14:15 nvd
N/A

DescriptionCVE.org

Insertion of Sensitive Information Into Sent Data vulnerability in inkthemescom ColorWay colorway allows Retrieve Embedded Sensitive Data.This issue affects ColorWay: from n/a through <= 4.2.3.

AnalysisAI

ColorWay WordPress theme through version 4.2.3 embeds sensitive information in sent data, allowing unauthenticated attackers to retrieve embedded data without authentication. The vulnerability has an exceptionally low exploitation probability (EPSS 0.03%, 9th percentile) despite being information disclosure in nature, suggesting the sensitive data exposure requires specific conditions or limited practical impact. No active exploitation or public exploit code is documented at time of analysis.

Technical ContextAI

The vulnerability stems from CWE-201 (Insertion of Sensitive Information Into Sent Data), a weakness where applications inadvertently expose confidential information through data transmission channels. In the context of ColorWay, a WordPress theme distributed via inkthemescom, the flaw likely involves embedded credentials, API keys, or other sensitive configuration data being included in HTTP responses, client-side scripts, or theme assets that are accessible to unauthenticated users. This is distinct from improper access control-the data itself is being transmitted insecurely rather than being properly protected before transmission.

Affected ProductsAI

ColorWay WordPress theme distributed by inkthemescom is affected in all versions from inception through 4.2.3 inclusive. The affected product is identified as a WordPress theme component rather than a standalone application, meaning impact is limited to WordPress installations with this theme active. The vendor advisory is available at https://patchstack.com/database/Wordpress/Theme/colorway/vulnerability/wordpress-colorway-theme-4-2-3-sensitive-data-exposure-vulnerability?_s_id=cve.

RemediationAI

WordPress site administrators should update the ColorWay theme to version 4.2.4 or later as soon as the patched version becomes available from the vendor or WordPress theme repository. Administrators unable to immediately update should temporarily disable or replace the ColorWay theme until a patch is released. As an interim protective measure, review theme files and configuration for exposed credentials or API keys, and consider applying Web Application Firewall (WAF) rules to redact sensitive data from responses if the specific data type can be identified. Consult the vendor advisory at Patchstack for confirmation of the exact fix version once released.

Share

CVE-2025-59003 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy