Skip to main content

Templately CVE-2026-42379

| EUVDEUVD-2026-25797 HIGH
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-04-27 audit@patchstack.com
7.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Re-analysis Queued
Apr 27, 2026 - 18:52 vuln.today
cvss_changed
Analysis Generated
Apr 27, 2026 - 09:30 vuln.today
EUVD ID Assigned
Apr 27, 2026 - 09:22 euvd
EUVD-2026-25797
Analysis Generated
Apr 27, 2026 - 09:22 vuln.today
CVE Published
Apr 27, 2026 - 09:16 nvd
HIGH 7.7

DescriptionCVE.org

Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data.This issue affects Templately: from n/a through 3.6.1.

AnalysisAI

Sensitive data exposure in Templately WordPress plugin ≤3.6.1 allows authenticated attackers to retrieve embedded sensitive information via network requests. The vulnerability exhibits scope change (S:C) indicating potential cross-boundary impact, with high confidentiality impact but no integrity or availability effects. CVSS 7.7 severity driven by network accessibility and low attack complexity. No CISA KEV listing indicates no confirmed widespread exploitation. Reported by Patchstack's audit team with reference to their vulnerability database entry.

Technical ContextAI

This vulnerability affects the Templately WordPress plugin, a template management system for WordPress site builders. CWE-201 (Insertion of Sensitive Information Into Sent Data) indicates the plugin improperly includes sensitive information in responses sent to clients - typically through API endpoints, AJAX handlers, or data serialization mechanisms that expose information beyond what the requester should access. The Changed scope (S:C) in the CVSS vector suggests the vulnerability may allow access to resources outside the plugin's normal security boundary, potentially affecting WordPress core data, other plugins' data, or database contents. This class of vulnerability commonly arises from insufficient output filtering in REST API endpoints, inadequate access controls on AJAX actions, or debug information leaking into production responses.

RemediationAI

Upgrade Templately plugin to version 3.6.2 or later if available - verify current version at WordPress.org plugin repository or WPDeveloper's official site. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/templately/vulnerability/wordpress-templately-plugin-3-6-1-sensitive-data-exposure-vulnerability for vendor-confirmed fix version. If no patched version exists, implement compensating controls: restrict plugin access to only trusted administrator accounts by removing Contributor/Author/Editor capabilities for Templately features; monitor WordPress access logs for unusual API requests to Templately endpoints; implement Web Application Firewall rules to inspect and filter responses from Templately AJAX handlers for sensitive patterns (database credentials, API keys, system paths). Consider temporarily disabling the plugin if template management functionality is non-critical until patch confirmation. Note that restricting user roles may impact legitimate workflow for content creators who require template access.

Share

CVE-2026-42379 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy