CVE-2025-62947

HIGH
2025-10-27 [email protected]
Information Disclosure
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Oct 27, 2025 - 02:15 nvd
HIGH 7.5

DescriptionNVD

Insertion of Sensitive Information Into Sent Data vulnerability in publitio Publitio publitio allows Retrieve Embedded Sensitive Data.This issue affects Publitio: from n/a through <= 2.2.5.

AnalysisAI

Sensitive data exposure in the Publitio WordPress plugin (versions ≤2.2.5) allows unauthenticated remote attackers to retrieve embedded sensitive information through network requests. The vulnerability exposes confidential data with high impact to confidentiality (CVSS C:H), though exploitation probability remains low (EPSS 3rd percentile). No public exploit identified at time of analysis, and exploitation requires no privileges or user interaction (PR:N/UI:N), making it trivially exploitable if targeted.

Technical ContextAI

This vulnerability stems from CWE-201 (Insertion of Sensitive Information Into Sent Data), a weakness where applications inadvertently include confidential data in transmitted responses. The Publitio plugin for WordPress, which provides media management and delivery capabilities, fails to properly sanitize or restrict sensitive information before sending data to clients. The network-accessible attack vector (AV:N) combined with low complexity (AC:L) indicates the vulnerability likely involves API endpoints, configuration files, or response payloads that directly expose sensitive data such as API keys, authentication tokens, internal paths, or user credentials. The affected product is the WordPress Publitio plugin (org.wordpress.plugin.publitio) through version 2.2.5, requiring immediate attention from installations using these versions.

Affected ProductsAI

The vulnerability affects the Publitio WordPress plugin in all versions up to and including version 2.2.5. Publitio provides cloud-based media management and delivery services integrated into WordPress installations, enabling users to upload, transform, and serve media assets. Any WordPress site with the Publitio plugin installed at version 2.2.5 or earlier is vulnerable to sensitive data exposure. According to the Patchstack database reference at https://patchstack.com/database/Wordpress/Plugin/publitio/vulnerability/wordpress-publitio-plugin-2-2-3-sensitive-data-exposure-vulnerability, the vulnerability was identified in the plugin's data handling mechanisms that inadvertently expose sensitive information through network-accessible channels.

RemediationAI

Site administrators should immediately upgrade the Publitio WordPress plugin to a version newer than 2.2.5 if available. Check the official WordPress plugin repository or Publitio's vendor site for the latest patched release addressing CVE-2025-62947. Prior to patching, implement temporary mitigations by restricting network access to WordPress admin endpoints through firewall rules or web application firewall (WAF) policies, and review server logs for suspicious requests attempting to access plugin endpoints. After upgrading, rotate any API keys, credentials, or sensitive tokens that may have been exposed through the vulnerability. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/publitio/vulnerability/wordpress-publitio-plugin-2-2-3-sensitive-data-exposure-vulnerability for additional vendor guidance and ensure WordPress core and all other plugins are updated to minimize attack surface.

Share

CVE-2025-62947 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy