CVE-2025-62998
Lifecycle Timeline
2Description
Insertion of Sensitive Information Into Sent Data vulnerability in WP Messiah WP AI CoPilot ai-co-pilot-for-wp allows Retrieve Embedded Sensitive Data.This issue affects WP AI CoPilot: from n/a through <= 1.2.7.
Analysis
WP AI CoPilot plugin for WordPress versions through 1.2.7 exposes sensitive information embedded within sent data, allowing attackers to retrieve confidential details without proper access controls. The vulnerability stems from inadequate handling of sensitive data in communications, classified as information disclosure with an EPSS score of 0.04% indicating low real-world exploitation probability. No public exploit code has been identified at time of analysis.
Technical Context
This vulnerability involves CWE-201 (Insertion of Sensitive Information Into Sent Data), which describes a fundamental design flaw where an application transmits sensitive information through channels or mechanisms that are not adequately protected or that inadvertently expose the data to unintended recipients. In the context of the WP AI CoPilot plugin, this likely involves API communications, request/response cycles, or client-side data transmission where sensitive information such as API keys, user credentials, or prompt history is embedded in a manner accessible to attackers with network visibility or limited privileges. The WordPress plugin architecture and its integration with AI services creates additional surface area for data exposure.
Affected Products
WP AI CoPilot (ai-co-pilot-for-wp) plugin for WordPress is affected in versions from an unspecified baseline through 1.2.7 inclusive. The WordPress plugin repository identifies this as affecting all installations of this plugin up to and including version 1.2.7. Further details are available in the Patchstack vulnerability database entry referenced below.
Remediation
Update WP AI CoPilot plugin to a version later than 1.2.7 immediately via the WordPress plugin dashboard or by downloading the patched release from the official WordPress plugin repository. Administrators should verify the installed version matches the vulnerable range (through 1.2.7) before attempting updates. Additionally, review WordPress access logs and API integration settings to identify any potential data exposure events that may have occurred while running the vulnerable version. The Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/ai-co-pilot-for-wp/vulnerability/wordpress-wp-ai-copilot-plugin-1-2-7-sensitive-data-exposure-vulnerability provides advisory details from the reporting security firm.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today