Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Insertion of Sensitive Information Into Sent Data vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Retrieve Embedded Sensitive Data.This issue affects Sunshine Photo Cart: from n/a through < 3.6.2.
AnalysisAI
Sunshine Photo Cart WordPress plugin versions prior to 3.6.2 expose sensitive information through insertion into sent data, allowing remote unauthenticated attackers to retrieve embedded sensitive data with low attack complexity. The EPSS score of 0.02% (5th percentile) indicates minimal real-world exploitation probability despite the moderate CVSS 5.3 rating, suggesting this is a low-priority information disclosure with limited practical impact.
Technical ContextAI
The vulnerability stems from CWE-201 (Insertion of Sensitive Information Into Sent Data), a design flaw where the Sunshine Photo Cart plugin transmits sensitive data in HTTP responses or client-side mechanisms without proper protection. This typically occurs when authentication tokens, user identifiers, API keys, or configuration details are embedded in unencrypted or unredacted messages. The affected product is a WordPress plugin distributed via the WordPress plugin repository, making it vulnerable across all self-hosted WordPress installations running affected versions. The vulnerability does not require authentication (PR:N in CVSS vector), meaning any remote network user can trigger the information disclosure.
RemediationAI
Update Sunshine Photo Cart to version 3.6.2 or later immediately. Site administrators should navigate to WordPress Dashboard > Plugins > Installed Plugins, locate Sunshine Photo Cart, and click Update if available. For manual updates, download version 3.6.2 or newer from the official WordPress plugin repository or the vendor's website. No workarounds are available; patching is the only remediation. Verify the update via Plugins > Installed Plugins to confirm version 3.6.2+ is active. See Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/sunshine-photo-cart/vulnerability/wordpress-sunshine-photo-cart-plugin-3-6-2-sensitive-data-exposure-vulnerability for additional details.
More in Sunshine Photo Cart
View allThe Sunshine Photo Cart plugin for WordPress (versions ≤3.4.11) contains an improper key validation vulnerability in its
Broken access control in the Sunshine Photo Cart WordPress plugin (versions through 3.6.7) allows authenticated low-priv
Cross-Site Request Forgery (CSRF) vulnerability in WP Sunshine Sunshine Photo Cart plugin <= 2.9.13 versions. Rated medi
The Sunshine Photo Cart: Free Client Galleries for Photographers plugin for WordPress is vulnerable to Sensitive Informa
Authorization Bypass Through User-Controlled Key vulnerability in WP Sunshine Sunshine Photo Cart: Free Client Galleries
The Sunshine Photo Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and includin
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20209