Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network-reachable disclosure in a WordPress plugin yields AV:N/AC:L/PR:N/UI:N; pure information leak gives C:H, I:N, A:N with unchanged scope.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Sensitive Data Exposure in Bricksforge <= 3.1.8.4 versions.
AnalysisAI
Unauthenticated sensitive data exposure in the Bricksforge WordPress plugin versions 3.1.8.4 and earlier allows remote attackers to retrieve confidential information without any credentials. The flaw, tracked under CWE-201 (Insertion of Sensitive Information Into Sent Data), carries a CVSS 3.1 score of 7.5 driven entirely by confidentiality impact, and no public exploit has been identified at time of analysis.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target site must have the Bricksforge WordPress plugin installed and active at version 3.1.8.4 or earlier and reachable over the network on the standard WordPress HTTP(S) interface; no authentication, user interaction, or non-default configuration is required per the CVSS vector AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N indicates a network-reachable, low-complexity, unauthenticated exploit with high confidentiality impact but no integrity or availability effect, which aligns with a pure information-disclosure class bug. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote attacker scans the public internet for WordPress installations exposing Bricksforge fingerprints, then issues an unauthenticated HTTP request to the vulnerable plugin endpoint and parses the response for sensitive values such as configuration data, internal identifiers, or PII handled by the plugin's form or dynamic-data features. No login, user interaction, or special tooling is required, and no public exploit code has been identified at time of analysis, though the low complexity makes independent rediscovery straightforward once the affected endpoint is known. |
| Remediation | Upstream fix availability is implied by the '<= 3.1.8.4' phrasing in the Patchstack advisory but a released patched version is not independently confirmed in the provided data; site operators should consult the Patchstack record at https://patchstack.com/database/wordpress/plugin/bricksforge/vulnerability/wordpress-bricksforge-plugin-3-1-8-4-sensitive-data-exposure-vulnerability and upgrade to the next Bricksforge release above 3.1.8.4 as soon as the vendor publishes it. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Conduct a comprehensive audit of all WordPress installations to identify Bricksforge plugin presence and document current version numbers; inventory what sensitive data the plugin accesses (customer records, credentials, payment information, etc.). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Bricksforge
View allUnauthenticated privilege escalation in the Bricksforge WordPress plugin (versions ≤ 3.1.8.6) lets remote attackers crea
Missing Authorization vulnerability in Bricksforge.0.17. Rated high severity (CVSS 7.5), this vulnerability is remotely
Missing Authorization vulnerability in Bricksforge.0.17. Rated high severity (CVSS 7.5), this vulnerability is remotely
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37671