Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Network-accessible WordPress plugin endpoint leaks data to unauthenticated requesters; no integrity or availability impact applies per CWE-201 data-exposure class.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Insertion of Sensitive Information Into Sent Data vulnerability in Tim Strifler Exclusive Addons Elementor allows Retrieve Embedded Sensitive Data.
This issue affects Exclusive Addons Elementor: from n/a through 2.7.9.9.
AnalysisAI
Sensitive data exposure in Exclusive Addons Elementor (WordPress plugin by Tim Strifler) through version 2.7.9.9 enables unauthenticated remote attackers to retrieve sensitive information embedded within HTTP responses. The CWE-201 root cause indicates the plugin incorrectly includes sensitive data in outbound responses accessible to any network client without authentication, as confirmed by the CVSS vector (PR:N/UI:N). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No authentication is required and no user interaction is needed, as confirmed by the CVSS vector metrics PR:N and UI:N. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 5.3 (Medium) is driven by AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network-exploitable, low-complexity, unauthenticated access with limited confidentiality impact and no integrity or availability effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker identifies a WordPress site running Exclusive Addons Elementor through version fingerprinting or public plugin enumeration, then sends a crafted HTTP request to a vulnerable plugin endpoint - such as an AJAX handler or REST route - and receives a response containing embedded sensitive data (e.g., internal keys, user metadata, or configuration values). No public exploit code was identified at time of analysis, but the trivial attack complexity (AC:L, PR:N) means any network-capable actor could attempt exploitation with minimal tooling. |
| Remediation | Update Exclusive Addons for Elementor to a version beyond 2.7.9.9 via the WordPress plugin dashboard or by downloading the patched release from the WordPress.org plugin repository. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Exclusive Addons Elementor
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41782
GHSA-w5x6-33vr-7xmp