Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network request to a WordPress plugin endpoint discloses stored signature/PII data with no user interaction and no integrity or availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Sensitive Data Exposure in Signature Add-On for WooCommerce <= 2.0 versions.
AnalysisAI
Unauthenticated sensitive data exposure in the Signature Add-On for WooCommerce WordPress plugin versions 2.0 and earlier allows remote attackers to retrieve protected information without credentials over the network. Reported by Patchstack and tracked as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), the issue carries a CVSS 7.5 score driven entirely by confidentiality impact. At time of analysis there is no public exploit identified and no CISA KEV listing, but the trivial attack complexity makes opportunistic scanning plausible.
Technical ContextAI
The affected component is the Signature Add-On for WooCommerce, a third-party WordPress plugin (CPE cpe:2.3:a:wp_e-signature:signature_add-on_for_woocommerce) that extends WooCommerce checkout/order flows with digital-signature capture, typically used to collect customer signatures on orders, contracts, or terms acceptance. CWE-497 covers the exposure of sensitive system or application data to actors who should not have access - in WordPress plugin contexts this commonly manifests as unprotected REST or admin-ajax endpoints, world-readable upload paths storing signature images/PDFs, or debug/diagnostic output that leaks configuration, file paths, or stored customer data. Because signatures are inherently tied to identity and order data, the exposed material is likely to include personally identifiable information collected at the WooCommerce checkout stage.
RemediationAI
No vendor-released patch version is independently confirmed in the supplied data - the Patchstack advisory describes the vulnerable range as '<= 2.0' but does not name a fixed release, so the most specific actionable status is 'patch availability not confirmed at time of analysis; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/woocommerce-digital-signature/vulnerability/wordpress-signature-add-on-for-woocommerce-plugin-2-0-sensitive-data-exposure-vulnerability for the latest fixed version.' Operators should upgrade to any post-2.0 release published by the wp_e-signature vendor as soon as one is verified, and in the interim either deactivate and remove the Signature Add-On for WooCommerce plugin (the safest control, at the cost of losing in-checkout signature capture), or place a WAF/virtual-patching rule (Patchstack, Wordfence, or equivalent) in front of the WordPress site to block requests to the plugin's endpoints and restrict access to wp-content/uploads paths that may store signature artifacts. Avoid relying solely on .htaccess deny rules for the uploads directory because legitimate WooCommerce assets are often served from the same tree, which can break order receipts and emails.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36901
GHSA-rhrc-9gjf-fhp7