Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Network-accessible unauthenticated endpoint leaks limited sensitive data; no integrity, availability, or scope-change impact supported by description.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Insertion of Sensitive Information Into Sent Data vulnerability in Softaculous FormLayer allows Retrieve Embedded Sensitive Data.
This issue affects FormLayer: from n/a through 1.0.6.
AnalysisAI
Sensitive data exposure in Softaculous FormLayer WordPress plugin through version 1.0.6 allows remote unauthenticated attackers to retrieve embedded sensitive information from data transmitted by the plugin. The root cause (CWE-201) indicates the plugin inserts sensitive content - potentially API keys, tokens, or internal configuration - into outbound data visible to requesting clients. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions required beyond the target WordPress site having the FormLayer plugin installed, activated, and serving at least one form page or plugin endpoint accessible to unauthenticated visitors. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.3 (Medium) correctly reflects bounded impact: confidentiality is partially compromised (C:L) but integrity and availability are unaffected (I:N/A:N), and scope is unchanged (S:U). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker visits a WordPress site running FormLayer through version 1.0.6, loads a public form page or sends a direct request to a plugin-registered endpoint, and inspects the HTTP response body or JavaScript payload. The plugin's outbound data contains embedded sensitive information - such as an API key or internal token - which the attacker extracts and uses for further unauthorized access to connected services. |
| Remediation | Update FormLayer to a version above 1.0.6 if a patched release has been published to the WordPress plugin repository or Softaculous directly. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41783
GHSA-j5vc-c5q7-5fjm