Skip to main content

WP Messiah WP AI CoPilot CVE-2025-62998

MEDIUM
Insertion of Sensitive Information Into Sent Data (CWE-201)
2025-12-18 audit@patchstack.com
5.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.0 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.0 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 18, 2025 - 17:15 nvd
N/A

DescriptionCVE.org

Insertion of Sensitive Information Into Sent Data vulnerability in WP Messiah WP AI CoPilot ai-co-pilot-for-wp allows Retrieve Embedded Sensitive Data.This issue affects WP AI CoPilot: from n/a through <= 1.2.7.

AnalysisAI

WP AI CoPilot plugin for WordPress versions through 1.2.7 exposes sensitive information embedded within sent data, allowing attackers to retrieve confidential details without proper access controls. The vulnerability stems from inadequate handling of sensitive data in communications, classified as information disclosure with an EPSS score of 0.04% indicating low real-world exploitation probability. No public exploit code has been identified at time of analysis.

Technical ContextAI

This vulnerability involves CWE-201 (Insertion of Sensitive Information Into Sent Data), which describes a fundamental design flaw where an application transmits sensitive information through channels or mechanisms that are not adequately protected or that inadvertently expose the data to unintended recipients. In the context of the WP AI CoPilot plugin, this likely involves API communications, request/response cycles, or client-side data transmission where sensitive information such as API keys, user credentials, or prompt history is embedded in a manner accessible to attackers with network visibility or limited privileges. The WordPress plugin architecture and its integration with AI services creates additional surface area for data exposure.

Affected ProductsAI

WP AI CoPilot (ai-co-pilot-for-wp) plugin for WordPress is affected in versions from an unspecified baseline through 1.2.7 inclusive. The WordPress plugin repository identifies this as affecting all installations of this plugin up to and including version 1.2.7. Further details are available in the Patchstack vulnerability database entry referenced below.

RemediationAI

Update WP AI CoPilot plugin to a version later than 1.2.7 immediately via the WordPress plugin dashboard or by downloading the patched release from the official WordPress plugin repository. Administrators should verify the installed version matches the vulnerable range (through 1.2.7) before attempting updates. Additionally, review WordPress access logs and API integration settings to identify any potential data exposure events that may have occurred while running the vulnerable version. The Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/ai-co-pilot-for-wp/vulnerability/wordpress-wp-ai-copilot-plugin-1-2-7-sensitive-data-exposure-vulnerability provides advisory details from the reporting security firm.

Share

CVE-2025-62998 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy