Skip to main content

Corpkit EUVDEUVD-2025-210401

| CVE-2025-69132 MEDIUM
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-07-02 Patchstack GHSA-j4cc-7jwr-r3p2
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-accessible via authenticated HTTP request (AV:N, PR:L); no complexity or interaction needed; confidentiality-only impact with no integrity or availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:38 vuln.today

DescriptionCVE.org

Subscriber Sensitive Data Exposure in Corpkit <= 1.0.5 versions.

AnalysisAI

Sensitive data exposure in the Corpkit WordPress theme (versions <= 1.0.5) allows an authenticated subscriber-level user to retrieve confidential information that should be inaccessible to that role. The CVSS vector (PR:L, C:H) confirms that any low-privileged account holder - the default registered-user role in WordPress - can trigger the disclosure over the network with no additional interaction required. No public exploit code or active exploitation has been identified at time of analysis, but the low barrier of entry (subscriber registration is often open on WordPress sites) elevates real-world risk.

Technical ContextAI

Corpkit is a WordPress theme developed by zozothemes, identified via CPE cpe:2.3:a:zozothemes:corpkit:*:*:*:*:*:*:*:*. WordPress themes can introduce REST API endpoints, AJAX handlers, or template logic that inadvertently expose backend data to authenticated users. CWE-201 (Insertion of Sensitive Information Into Sent Data) indicates the root cause: the theme includes sensitive data in server responses - such as API keys, user metadata, configuration values, or private post content - in a context reachable by subscribers. This class of flaw typically arises when theme developers fail to apply capability checks (e.g., current_user_can()) before returning data in AJAX or REST responses, causing the server to actively transmit privileged information rather than the client inferring it.

RemediationAI

Update the Corpkit theme to a version beyond 1.0.5 as soon as a patched release is available from the zozothemes developer. Patch availability per vendor advisory is referenced via Patchstack at https://patchstack.com/database/wordpress/theme/corpkit/vulnerability/wordpress-corpkit-theme-1-0-5-sensitive-data-exposure-vulnerability - consult this page for the confirmed fix version, which was not independently confirmed in the available data. If an immediate update is not possible, consider disabling public user registration on the WordPress site (Settings > General > uncheck 'Anyone can register') to prevent unauthenticated parties from obtaining the subscriber role needed to exploit this flaw; note this trade-off may impact legitimate site functionality. Additionally, review active subscriber accounts for suspicious activity and audit theme AJAX/REST handlers for missing capability checks as a compensating control.

Share

EUVD-2025-210401 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy