What is the CVSS score of CVE-2025-60188?

CVE-2025-60188 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 5.5%.

Which versions of Atarim are affected by CVE-2025-60188?

The Atarim WordPress plugin (versions ≤4.2) contains a critical information disclosure vulnerability (CVE-2025-60188) that allows unauthenticated remote attackers to extract sensitive data without…

Is there a public PoC exploit available for CVE-2025-60188?

Yes, a public proof-of-concept exploit is available for CVE-2025-60188. Prioritise patching immediately. EPSS: 5.5%.

How to fix or mitigate CVE-2025-60188?

Within 24 hours: Identify all WordPress installations using Atarim plugin and document current versions via plugin management dashboards or WP-CLI scanning. Within 7 days: Deactivate and remove Atarim plugin ≤4.2 from all affected sites, or upgrade to plugin version 4.3 or later if available from the vendor; test functionality post-update in staging environment. Within 30 days: Conduct access logs review for the affected period to identify potential unauthorized data access; implement Web Application Firewall (WAF) rules to block requests targeting known Atarim data exposure vectors; deploy file integrity monitoring on WordPress directories.

Atarim CVE-2025-60188

HIGH

Insertion of Sensitive Information Into Sent Data (CWE-201)

2025-11-06 audit@patchstack.com

Information Disclosure

7.5

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Updated

Apr 24, 2026 - 00:39 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 23, 2026 - 15:43 vuln.today

cvss_changed

PoC Detected

Apr 01, 2026 - 15:17 vuln.today

Public exploit code

Analysis Generated

Mar 28, 2026 - 19:20 vuln.today

CVE Published

Nov 06, 2025 - 16:16 nvd

HIGH 7.5

DescriptionCVE.org

Insertion of Sensitive Information Into Sent Data vulnerability in Vito Peleg Atarim atarim-visual-collaboration allows Retrieve Embedded Sensitive Data.This issue affects Atarim: from n/a through <= 4.2.

AnalysisAI

Sensitive data exposure in Atarim WordPress plugin versions ≤4.2 allows remote unauthenticated attackers to retrieve embedded confidential information through network requests. Publicly available exploit code exists. EPSS score of 5.50% (90th percentile) indicates elevated real-world exploitation likelihood compared to most vulnerabilities, though CISA KEV does not yet list active exploitation. The CVSS vector shows network-accessible information disclosure requiring no authentication or user interaction, making this a high-priority remediation target for sites running affected versions.

Technical ContextAI

Atarim is a WordPress visual collaboration and client feedback plugin that enables website stakeholders to communicate and track changes. This vulnerability stems from CWE-201 (Insertion of Sensitive Information Into Sent Data), where the application inadvertently includes confidential data in responses or transmissions that should not contain it. The plugin's architecture appears to expose sensitive embedded data through network-accessible endpoints without proper access controls or data sanitization. The complete lack of authentication requirements (PR:N) and low attack complexity (AC:L) indicate the vulnerable endpoint is directly accessible over HTTP/HTTPS without security barriers, likely through REST API routes or AJAX handlers common in WordPress plugins.

Affected ProductsAI

The vulnerability affects the Atarim (formerly known as zippy or WP Feedback) WordPress plugin in all versions up to and including version 4.2. The plugin is developed by Vito Peleg and distributed through the official WordPress.org plugin repository. Organizations should verify their installed version through the WordPress admin dashboard under Plugins. Detailed vulnerability information is available in the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/atarim-visual-collaboration/vulnerability/wordpress-atarim-plugin-4-2-sensitive-data-exposure-vulnerability-2?_s_id=cve.

RemediationAI

Immediately upgrade Atarim plugin to version 4.3 or later, which contains the security fix for this data exposure vulnerability. Access the WordPress admin dashboard, navigate to Plugins > Installed Plugins, locate Atarim, and click Update Now. Verify the update completed successfully by confirming version 4.3+ in the plugin details. If immediate patching is not feasible, implement compensating controls: disable the Atarim plugin entirely until patching is complete, restrict WordPress admin access to trusted IP addresses via .htaccess or firewall rules, and audit server logs for suspicious requests to wp-admin/admin-ajax.php or REST API endpoints associated with Atarim (pattern: /wp-json/atarim/*). Note that deactivating the plugin will disrupt active collaboration workflows and client feedback functionality. Review WordPress access logs from the past 30 days for unauthorized data retrieval attempts targeting the plugin's endpoints. Consult the Patchstack advisory and GitHub POC repository (https://github.com/m4sh-wacker/CVE-2025-60188-Atarim-Plugin-Exploit) to understand specific data exposure patterns for forensic investigation.

CVE-2025-60188 vulnerability details – vuln.today

Back

Atarim CVE-2025-60188

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code