Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network endpoint leaks sensitive data with no interaction (AV:N/AC:L/PR:N/UI:N); impact is confidentiality-only (C:H, I:N, A:N), matching CWE-201 disclosure.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Sensitive Data Exposure in Vitepos <= 3.4.2 versions.
AnalysisAI
Unauthenticated sensitive data exposure in the Vitepos WordPress plugin (versions 3.4.2 and earlier) lets remote attackers read sensitive information without any authentication. The flaw is reported by Patchstack and classified as CWE-201 (information exposure through sent data), with a CVSS 3.1 base score of 7.5 driven entirely by a high confidentiality impact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only that a target WordPress site has the Vitepos (vitepos-lite) plugin installed and active at version 3.4.2 or earlier, with its endpoints reachable over the network - consistent with AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, score 7.5) describes a network-reachable, low-complexity, unauthenticated read with high confidentiality impact and no integrity or availability effect - a classic high-value information-disclosure profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote attacker, without any account or credentials, sends a crafted HTTP request to the exposed Vitepos endpoint on a WordPress site running version 3.4.2 or earlier and receives sensitive data back in the response. Given AC:L and PR:N, the request requires no special timing or privileges, so it is easily automated and scriptable across many sites. … |
| Remediation | Upgrade Vitepos to a release later than 3.4.2 once the vendor (appsbd) publishes a fixed version; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/vitepos-lite/vulnerability/wordpress-vitepos-plugin-3-4-2-sensitive-data-exposure-vulnerability for the exact fixed build, as no patched version number is confirmed in the available data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all WordPress installations; identify instances running Vitepos plugin versions 3.4.2 and earlier; assess data sensitivity on affected systems. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new u
Blind SQL injection in the appsbd Vitepos (vitepos-lite) WordPress point-of-sale plugin affects all versions up to and i
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39369
GHSA-wv7v-x5c8-prv7