Vladimir Statsenko Terms CVE-2025-62139
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Insertion of Sensitive Information Into Sent Data vulnerability in Vladimir Statsenko Terms descriptions terms-descriptions allows Retrieve Embedded Sensitive Data.This issue affects Terms descriptions: from n/a through <= 3.4.10.
AnalysisAI
The Terms descriptions WordPress plugin versions 3.4.10 and earlier expose sensitive data through embedded information in sent data, allowing unauthenticated attackers to retrieve embedded sensitive information. This information disclosure vulnerability (CWE-201) affects all installations of the plugin up to version 3.4.10. No public exploit code has been identified, and the EPSS score of 0.04% indicates minimal real-world exploitation probability, though the vulnerability remains a concern for sites storing sensitive term metadata.
Technical ContextAI
The vulnerability stems from improper handling of sensitive information within the Terms descriptions WordPress plugin, a tool used to add and manage descriptions for WordPress taxonomy terms. The root cause is classified as CWE-201 (Insertion of Sensitive Information Into Sent Data), meaning the plugin inadvertently includes sensitive data in responses or transmitted content without appropriate access controls or filtering. WordPress plugins operate within the wp-admin and front-end environments, and plugins managing taxonomy metadata may expose this data through REST API endpoints, admin pages, or front-end rendering without proper sanitization.
Affected ProductsAI
The Terms descriptions WordPress plugin version 3.4.10 and all earlier versions are affected. The plugin is available on the WordPress.org plugin repository and is typically installed directly into the /wp-content/plugins/terms-descriptions/ directory. Users running any version through 3.4.10 should update immediately. The vulnerability reference points to Patchstack's database entry for this specific plugin and version range.
RemediationAI
Update the Terms descriptions WordPress plugin to version 3.4.11 or later, which resolves the sensitive data exposure. Navigate to WordPress admin dashboard, go to Plugins, locate Terms descriptions, and click Update if available; alternatively, manually download the latest version from wordpress.org/plugins/terms-descriptions/ and upload it via SFTP or the plugin uploader. Verify the updated version via the Plugins page post-installation. No workarounds are available for this information disclosure issue; patching is the primary remediation. Refer to the Patchstack database entry (https://patchstack.com/database/Wordpress/Plugin/terms-descriptions/) for additional advisory details.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today