CVE-2025-62139

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 15:15 nvd
N/A

Tags

WordPress PHP Information Disclosure

Description

Insertion of Sensitive Information Into Sent Data vulnerability in Vladimir Statsenko Terms descriptions terms-descriptions allows Retrieve Embedded Sensitive Data.This issue affects Terms descriptions: from n/a through <= 3.4.10.

Analysis

The Terms descriptions WordPress plugin versions 3.4.10 and earlier expose sensitive data through embedded information in sent data, allowing unauthenticated attackers to retrieve embedded sensitive information. This information disclosure vulnerability (CWE-201) affects all installations of the plugin up to version 3.4.10. No public exploit code has been identified, and the EPSS score of 0.04% indicates minimal real-world exploitation probability, though the vulnerability remains a concern for sites storing sensitive term metadata.

Technical Context

The vulnerability stems from improper handling of sensitive information within the Terms descriptions WordPress plugin, a tool used to add and manage descriptions for WordPress taxonomy terms. The root cause is classified as CWE-201 (Insertion of Sensitive Information Into Sent Data), meaning the plugin inadvertently includes sensitive data in responses or transmitted content without appropriate access controls or filtering. WordPress plugins operate within the wp-admin and front-end environments, and plugins managing taxonomy metadata may expose this data through REST API endpoints, admin pages, or front-end rendering without proper sanitization.

Affected Products

The Terms descriptions WordPress plugin version 3.4.10 and all earlier versions are affected. The plugin is available on the WordPress.org plugin repository and is typically installed directly into the /wp-content/plugins/terms-descriptions/ directory. Users running any version through 3.4.10 should update immediately. The vulnerability reference points to Patchstack's database entry for this specific plugin and version range.

Remediation

Update the Terms descriptions WordPress plugin to version 3.4.11 or later, which resolves the sensitive data exposure. Navigate to WordPress admin dashboard, go to Plugins, locate Terms descriptions, and click Update if available; alternatively, manually download the latest version from wordpress.org/plugins/terms-descriptions/ and upload it via SFTP or the plugin uploader. Verify the updated version via the Plugins page post-installation. No workarounds are available for this information disclosure issue; patching is the primary remediation. Refer to the Patchstack database entry (https://patchstack.com/database/Wordpress/Plugin/terms-descriptions/) for additional advisory details.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-62139 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy