Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Network-accessible with low-privilege auth required; limited confidentiality impact only, no integrity or availability effect, no scope change.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in HashThemes Hash Elements allows Retrieve Embedded Sensitive Data.
This issue affects Hash Elements: from n/a through 1.5.4.
AnalysisAI
Sensitive system information exposure in the Hash Elements WordPress plugin (all versions through 1.5.4) enables authenticated low-privilege users to retrieve embedded sensitive data from the plugin's output or internal responses. Classified under CWE-497, the plugin surfaces system-level information - potentially including API keys, server paths, or configuration values - to parties who should not have access to it. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low authentication barrier (subscriber-level or equivalent WordPress account) broadens the pool of potential abusers on multi-user WordPress installations.
Technical ContextAI
Hash Elements (CPE: cpe:2.3:a:hashthemes:hash_elements:*:*:*:*:*:*:*:*) is a WordPress page-building plugin by HashThemes, likely designed for use with Elementor or similar block editors. CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere) describes a class of vulnerability where internal data - such as server configuration, API credentials, filesystem paths, or software versioning details - is embedded in rendered output, REST API responses, AJAX handlers, or front-end JavaScript and becomes accessible to parties outside the intended trust boundary. In a WordPress context, this typically occurs when a plugin endpoint or shortcode output lacks proper capability checks, causing privileged data to be returned to authenticated users who hold only subscriber or contributor roles. The CVSS vector AV:N/AC:L/PR:L confirms the flaw is reachable over the network with no special configuration and only a low-privilege WordPress account.
RemediationAI
Update the Hash Elements plugin to a version beyond 1.5.4 as soon as a patched release is made available by HashThemes. The exact fixed version is not independently confirmed from the available data - only that 1.5.4 and earlier are vulnerable. Monitor the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/hash-elements/vulnerability/wordpress-hash-elements-plugin-1-5-4-sensitive-data-exposure-vulnerability?_s_id=cve and the WordPress plugin repository for an updated release. As a compensating control pending a patch, consider disabling the plugin on installations where untrusted users hold low-privilege accounts, particularly on sites with open user registration. If disabling is not viable, restrict authenticated access to only trusted user roles and audit the exposed data type to determine whether downstream secrets (API keys, credentials) require rotation. Note that disabling the plugin will remove any page-builder blocks or widgets it provides, which may affect front-end layout.
More in Hash Elements
View allImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HashThemes Hash El
The Hash Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' parameter within multi
The Hash Elements plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36570
GHSA-5gvj-r2g2-wv2x