Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in RadiusTheme Review Schema review-schema allows Retrieve Embedded Sensitive Data.This issue affects Review Schema: from n/a through <= 2.2.6.
AnalysisAI
The RadiusTheme Review Schema WordPress plugin versions up to and including 2.2.6 contains an information disclosure vulnerability (CWE-497) that allows unauthorized attackers to retrieve embedded sensitive data through the plugin's schema implementation. An attacker can exploit this vulnerability to access system information that should not be exposed, potentially leveraging the data for reconnaissance or further attacks. No CVSS score, EPSS data, or confirmed KEV/POC status is currently available, but the vulnerability has been documented by Patchstack and assigned EUVD-2026-15657.
Technical ContextAI
The vulnerability exists in the Review Schema component of the RadiusTheme plugin (CPE: cpe:2.3:a:radiustheme:review_schema:*:*:*:*:*:*:*:*), which is a WordPress plugin used to implement structured data markup for product/service reviews. The root cause is classified as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), indicating that the plugin improperly exposes sensitive system or application data through its schema output or API endpoints. This likely occurs through inadequate input validation, missing access controls, or improper handling of sensitive data within the structured data/JSON-LD schema that the plugin generates for search engines and client-side consumption. The embedded sensitive information could include internal system paths, configuration details, user identifiers, or other metadata that should remain server-side.
RemediationAI
Immediately upgrade the RadiusTheme Review Schema plugin to the latest available version beyond 2.2.6 if a patch has been released; check the official RadiusTheme repository or the Patchstack advisory for the specific patched version number. If no patch is currently available, consider disabling the Review Schema plugin until a security update is released, or contact RadiusTheme support for an emergency security advisory. As a temporary mitigation, restrict access to the plugin's endpoints via web application firewall rules, disable public access to schema endpoints if possible, and audit recent access logs for signs of information disclosure. Additionally, implement HTTP response header filtering to prevent schema data from being indexed or cached by search engines via X-Robots-Tag headers if the plugin allows configuration of sensitive fields.
More in Review Schema
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15657
GHSA-24pv-cxm8-65fp