Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Insertion of Sensitive Information Into Sent Data vulnerability in Saad Iqbal WP EasyPay wp-easy-pay allows Retrieve Embedded Sensitive Data.This issue affects WP EasyPay: from n/a through <= 4.3.0.
AnalysisAI
WP EasyPay plugin through version 4.3.0 exposes sensitive information in sent data, allowing unauthenticated remote attackers to retrieve embedded data without user interaction. The vulnerability stems from improper handling of sensitive data during transmission, classified as an information disclosure issue with a CVSS score of 5.3 (network-accessible, low complexity). No active exploitation has been confirmed in CISA KEV at the time of analysis.
Technical ContextAI
WP EasyPay is a WordPress payment processing plugin that handles financial transactions. The vulnerability involves CWE-201 (Insertion of Sensitive Information Into Sent Data), which occurs when an application transmits sensitive information (such as credentials, API keys, or transaction details) in a manner that can be intercepted or retrieved by unauthorized parties. This typically manifests in payment gateways when API responses, form data, or transaction logs contain unencrypted or inadequately masked sensitive fields. The plugin's failure to properly sanitize or encrypt sensitive fields before transmission creates a direct information disclosure channel accessible over the network.
RemediationAI
Upgrade WP EasyPay to a patched version released after 4.3.0. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-easy-pay/vulnerability/wordpress-wp-easypay-plugin-4-3-0-sensitive-data-exposure-vulnerability?_s_id=cve for the exact patched version. As an immediate compensating control, restrict access to the plugin's API endpoints and transaction log pages to authenticated users only via Web Application Firewall (WAF) rules or .htaccess restrictions; document which endpoints expose sensitive data and block them from public access pending patching. Ensure all payment processing occurs over HTTPS with HSTS headers enforced. Review web server access logs and database transaction records for evidence of sensitive data retrieval by unauthorized parties. If upgrade is delayed, disable the plugin entirely and switch to an alternative payment gateway until the patch is deployed.
More in Wp Easypay
View allThe WP EasyPay WordPress plugin before 4.1 does not escape some generated URLs before outputting them back in pages, lea
Cross-site request forgery in the WP EasyPay WordPress plugin (versions through 4.4.0) enables remote attackers to perfo
The WP EasyPay - Square for WordPress plugin for WordPress is vulnerable to unauthorized modification of datadue to a mi
WP EasyPay versions up to 4.2.11 contain an authorization bypass that allows authenticated users to modify plugin settin
The WP EasyPay - Square for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to
Cross-Site Request Forgery (CSRF) vulnerability in WP Easy Pay WP EasyPay - Square for WordPress plugin <= 4.1 versions.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29457
GHSA-fmc2-cwhh-xqrv