Skip to main content

Vitepos CVE-2026-54841

| EUVDEUVD-2026-39369 HIGH
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-06-25 Patchstack GHSA-wv7v-x5c8-prv7
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network endpoint leaks sensitive data with no interaction (AV:N/AC:L/PR:N/UI:N); impact is confidentiality-only (C:H, I:N, A:N), matching CWE-201 disclosure.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 14:19 vuln.today

DescriptionCVE.org

Unauthenticated Sensitive Data Exposure in Vitepos <= 3.4.2 versions.

AnalysisAI

Unauthenticated sensitive data exposure in the Vitepos WordPress plugin (versions 3.4.2 and earlier) lets remote attackers read sensitive information without any authentication. The flaw is reported by Patchstack and classified as CWE-201 (information exposure through sent data), with a CVSS 3.1 base score of 7.5 driven entirely by a high confidentiality impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running Vitepos ≤3.4.2
Exploit
Send unauthenticated request to vulnerable endpoint
Execution
Endpoint returns sensitive data in response
Impact
Harvest exposed information

Vulnerability AssessmentAI

Exploitation Exploitation requires only that a target WordPress site has the Vitepos (vitepos-lite) plugin installed and active at version 3.4.2 or earlier, with its endpoints reachable over the network - consistent with AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, score 7.5) describes a network-reachable, low-complexity, unauthenticated read with high confidentiality impact and no integrity or availability effect - a classic high-value information-disclosure profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker, without any account or credentials, sends a crafted HTTP request to the exposed Vitepos endpoint on a WordPress site running version 3.4.2 or earlier and receives sensitive data back in the response. Given AC:L and PR:N, the request requires no special timing or privileges, so it is easily automated and scriptable across many sites. …
Remediation Upgrade Vitepos to a release later than 3.4.2 once the vendor (appsbd) publishes a fixed version; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/vitepos-lite/vulnerability/wordpress-vitepos-plugin-3-4-2-sensitive-data-exposure-vulnerability for the exact fixed build, as no patched version number is confirmed in the available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations; identify instances running Vitepos plugin versions 3.4.2 and earlier; assess data sensitivity on affected systems. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54841 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy