Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network-accessible at low complexity; subscriber-level authentication required (PR:L); high confidentiality impact from PII exposure; no integrity or availability effect.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Sensitive Data Exposure in Site Reviews <= 8.0.11 versions.
AnalysisAI
Sensitive data exposure in the Site Reviews WordPress plugin (versions through 8.0.11) allows authenticated users holding at minimum a subscriber-level account to access private or sensitive review-related data they should not be permitted to view, resulting in high confidentiality impact. The CVSS vector (PR:L, AV:N, AC:L) confirms the flaw is network-exploitable at low complexity with no user interaction required beyond possessing a basic WordPress account. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated WordPress account with at minimum subscriber-level role privileges on the target site. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.5 Medium score is supported by a vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, which signals a network-reachable, low-complexity attack requiring only a subscriber account and no user interaction, with a high confidentiality impact but no integrity or availability consequences. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free subscriber account on a WordPress site running Site Reviews 8.0.11 or earlier, then issues authenticated requests to the plugin's data endpoints or review management interfaces. The plugin returns sensitive data fields - such as reviewer email addresses, IP addresses, or private review metadata - that should be restricted to administrators, allowing the attacker to harvest PII from all submitted reviews without further privileges. |
| Remediation | The primary remediation is to update the Site Reviews WordPress plugin to a version beyond 8.0.11; however, the exact patched release version is not independently confirmed from available data - the fix version is not specified in NVD CPE or EUVD records. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39731
GHSA-6gq8-6wjm-24r8