Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Insertion of Sensitive Information Into Sent Data vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Retrieve Embedded Sensitive Data.This issue affects RT-Theme 18 | Extensions: from n/a through <= 2.5.
AnalysisAI
RT-Theme 18 Extensions WordPress plugin versions up to 2.5 exposes sensitive data through insertion of information into sent data, allowing unauthenticated remote attackers to retrieve embedded sensitive information with low attack complexity. The vulnerability affects the plugin's data transmission mechanisms and has an EPSS exploitation probability of 0.02%, indicating minimal real-world attack likelihood despite the moderate CVSS score.
Technical ContextAI
This vulnerability stems from CWE-201 (Insertion of Sensitive Information Into Sent Data), a weakness where sensitive information is unintentionally included in outbound data streams without proper sanitization or encryption. In the context of the RT-Theme 18 Extensions plugin (CPE: cpe:2.3:a:stmcan:rt-theme_18_|_extensions:*:*:*:*:*:*:*:*), the plugin likely transmits configuration data, user metadata, or internal state information through HTTP responses, API calls, or client-side JavaScript that can be intercepted or examined. The WordPress plugin architecture means this data exposure could occur during AJAX requests, form submissions, or page rendering where sensitive values are embedded in DOM attributes or response bodies without adequate access controls or obfuscation.
RemediationAI
Update RT-Theme 18 Extensions to a patched version above 2.5 as soon as such a release is available. Site administrators should immediately review their plugin version through the WordPress dashboard (Plugins > Installed Plugins) and apply the update when released by the vendor. In the interim, organizations concerned about information disclosure through plugin-generated responses should disable the plugin if it is non-critical to site functionality, or implement network-level monitoring to detect unusual data transmission patterns from the affected plugin. Consult the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/rt18-extensions/vulnerability/wordpress-rt-theme-18-extensions-plugin-2-5-sensitive-data-exposure-vulnerability for patch availability and release timelines.
More in Rt Theme 18 Extensions
View allPHP Object Injection in the RT-Theme 18 | Extensions plugin (rt18-extensions) for WordPress affects all versions up to a
PHP Local File Inclusion in the WordPress RT-Theme 18 | Extensions plugin (rt18-extensions) by stmcan lets remote attack
Reflected cross-site scripting in the stmcan RT-Theme 18 | Extensions WordPress plugin (all versions up to and including
Cross-site request forgery (CSRF) in stmcan RT-Theme 18 Extensions plugin version 2.5 and earlier allows unauthenticated
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20419
GHSA-hjp2-9xx7-v66x