Skip to main content

Rt Theme 18 Extensions CVE-2026-39711

| EUVDEUVD-2026-20419 MEDIUM
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-04-08 Patchstack GHSA-hjp2-9xx7-v66x
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:44 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20419
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Insertion of Sensitive Information Into Sent Data vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Retrieve Embedded Sensitive Data.This issue affects RT-Theme 18 | Extensions: from n/a through <= 2.5.

AnalysisAI

RT-Theme 18 Extensions WordPress plugin versions up to 2.5 exposes sensitive data through insertion of information into sent data, allowing unauthenticated remote attackers to retrieve embedded sensitive information with low attack complexity. The vulnerability affects the plugin's data transmission mechanisms and has an EPSS exploitation probability of 0.02%, indicating minimal real-world attack likelihood despite the moderate CVSS score.

Technical ContextAI

This vulnerability stems from CWE-201 (Insertion of Sensitive Information Into Sent Data), a weakness where sensitive information is unintentionally included in outbound data streams without proper sanitization or encryption. In the context of the RT-Theme 18 Extensions plugin (CPE: cpe:2.3:a:stmcan:rt-theme_18_|_extensions:*:*:*:*:*:*:*:*), the plugin likely transmits configuration data, user metadata, or internal state information through HTTP responses, API calls, or client-side JavaScript that can be intercepted or examined. The WordPress plugin architecture means this data exposure could occur during AJAX requests, form submissions, or page rendering where sensitive values are embedded in DOM attributes or response bodies without adequate access controls or obfuscation.

RemediationAI

Update RT-Theme 18 Extensions to a patched version above 2.5 as soon as such a release is available. Site administrators should immediately review their plugin version through the WordPress dashboard (Plugins > Installed Plugins) and apply the update when released by the vendor. In the interim, organizations concerned about information disclosure through plugin-generated responses should disable the plugin if it is non-critical to site functionality, or implement network-level monitoring to detect unusual data transmission patterns from the affected plugin. Consult the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/rt18-extensions/vulnerability/wordpress-rt-theme-18-extensions-plugin-2-5-sensitive-data-exposure-vulnerability for patch availability and release timelines.

Share

CVE-2026-39711 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy