Skip to main content

Sunshine Photo Cart CVE-2026-39564

| EUVDEUVD-2026-20209 MEDIUM
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-04-08 Patchstack
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 19:44 vuln.today
CVSS changed
Apr 14, 2026 - 19:22 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20209
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Insertion of Sensitive Information Into Sent Data vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Retrieve Embedded Sensitive Data.This issue affects Sunshine Photo Cart: from n/a through < 3.6.2.

AnalysisAI

Sunshine Photo Cart WordPress plugin versions prior to 3.6.2 expose sensitive information through insertion into sent data, allowing remote unauthenticated attackers to retrieve embedded sensitive data with low attack complexity. The EPSS score of 0.02% (5th percentile) indicates minimal real-world exploitation probability despite the moderate CVSS 5.3 rating, suggesting this is a low-priority information disclosure with limited practical impact.

Technical ContextAI

The vulnerability stems from CWE-201 (Insertion of Sensitive Information Into Sent Data), a design flaw where the Sunshine Photo Cart plugin transmits sensitive data in HTTP responses or client-side mechanisms without proper protection. This typically occurs when authentication tokens, user identifiers, API keys, or configuration details are embedded in unencrypted or unredacted messages. The affected product is a WordPress plugin distributed via the WordPress plugin repository, making it vulnerable across all self-hosted WordPress installations running affected versions. The vulnerability does not require authentication (PR:N in CVSS vector), meaning any remote network user can trigger the information disclosure.

RemediationAI

Update Sunshine Photo Cart to version 3.6.2 or later immediately. Site administrators should navigate to WordPress Dashboard > Plugins > Installed Plugins, locate Sunshine Photo Cart, and click Update if available. For manual updates, download version 3.6.2 or newer from the official WordPress plugin repository or the vendor's website. No workarounds are available; patching is the only remediation. Verify the update via Plugins > Installed Plugins to confirm version 3.6.2+ is active. See Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/sunshine-photo-cart/vulnerability/wordpress-sunshine-photo-cart-plugin-3-6-2-sensitive-data-exposure-vulnerability for additional details.

Share

CVE-2026-39564 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy