Skip to main content

Smart Online Order for Clover CVE-2026-42746

| EUVDEUVD-2026-32195 HIGH
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-05-27 audit@patchstack.com GHSA-r797-7chf-m2f5
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:55 vuln.today

DescriptionCVE.org

Insertion of Sensitive Information Into Sent Data vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Retrieve Embedded Sensitive Data.This issue affects Smart Online Order for Clover: from n/a through <= 1.6.0.

AnalysisAI

Sensitive data exposure in the ZAYTECH "Smart Online Order for Clover" WordPress plugin (all versions through 1.6.0) allows remote unauthenticated attackers to retrieve embedded sensitive information that the plugin inserts into data it sends. The CVSS 3.1 base score is 7.3 with a network/no-auth vector but only Low impact across confidentiality, integrity, and availability. There is no public exploit identified at time of analysis, and EPSS scores exploitation probability at just 0.04% (11th percentile), indicating low likelihood of opportunistic mass exploitation despite the easy attack path.

Technical ContextAI

The affected component is a WordPress plugin (slug: clover-online-orders) developed by ZAYTECH that integrates a WordPress site with the Clover point-of-sale platform to enable online ordering. The root cause is classified as CWE-201 (Insertion of Sensitive Information Into Sent Data), a weakness in which an application embeds sensitive values - such as API keys, tokens, internal identifiers, or configuration data - into responses, messages, or outbound payloads that are exposed to actors who should not have access to them. Unlike a classic injection or memory-corruption bug, CWE-201 is a design/data-handling flaw where the sensitive data is leaked through legitimate-looking output channels of the plugin. No CPE 2.3 strings were provided in the source data; affected scope is defined by the EUVD version range rather than formal CPE enumeration.

RemediationAI

No vendor-released patch version is identified in the available data - the source only confirms that versions up to and including 1.6.0 are vulnerable, with no explicit fixed version stated, so administrators should consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/clover-online-orders/vulnerability/wordpress-smart-online-order-for-clover-plugin-1-6-0-sensitive-data-exposure-vulnerability?_s_id=cve) and the WordPress.org plugin page for any release newer than 1.6.0 and upgrade as soon as one is published. Until a fixed version is confirmed, deploy a WordPress-aware web application firewall (such as Patchstack's virtual patching) to filter requests to the plugin's endpoints; this adds latency and rule-maintenance overhead but does not change plugin functionality. Restrict network access to the plugin's request handlers via server-level rules or IP allow-listing where the ordering interface is only used by known parties, accepting that this may break legitimate customer access for public storefronts. As a last resort, deactivate and remove the plugin to fully eliminate exposure, at the cost of losing the Clover online-ordering integration.

Share

CVE-2026-42746 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy