Skip to main content

Site Reviews CVE-2026-57318

| EUVDEUVD-2026-39731 MEDIUM
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-06-26 audit@patchstack.com GHSA-6gq8-6wjm-24r8
6.5
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-accessible at low complexity; subscriber-level authentication required (PR:L); high confidentiality impact from PII exposure; no integrity or availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:18 vuln.today

DescriptionCVE.org

Subscriber Sensitive Data Exposure in Site Reviews <= 8.0.11 versions.

AnalysisAI

Sensitive data exposure in the Site Reviews WordPress plugin (versions through 8.0.11) allows authenticated users holding at minimum a subscriber-level account to access private or sensitive review-related data they should not be permitted to view, resulting in high confidentiality impact. The CVSS vector (PR:L, AV:N, AC:L) confirms the flaw is network-exploitable at low complexity with no user interaction required beyond possessing a basic WordPress account. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain subscriber WordPress account
Delivery
Authenticate to target site
Exploit
Send crafted request to plugin data endpoint
Execution
Receive sensitive subscriber/reviewer data in response
Impact
Exfiltrate PII from all exposed records

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated WordPress account with at minimum subscriber-level role privileges on the target site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.5 Medium score is supported by a vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, which signals a network-reachable, low-complexity attack requiring only a subscriber account and no user interaction, with a high confidentiality impact but no integrity or availability consequences. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on a WordPress site running Site Reviews 8.0.11 or earlier, then issues authenticated requests to the plugin's data endpoints or review management interfaces. The plugin returns sensitive data fields - such as reviewer email addresses, IP addresses, or private review metadata - that should be restricted to administrators, allowing the attacker to harvest PII from all submitted reviews without further privileges.
Remediation The primary remediation is to update the Site Reviews WordPress plugin to a version beyond 8.0.11; however, the exact patched release version is not independently confirmed from available data - the fix version is not specified in NVD CPE or EUVD records. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57318 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy