Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Insertion of Sensitive Information Into Sent Data vulnerability in AA Web Servant 12 Step Meeting List 12-step-meeting-list allows Retrieve Embedded Sensitive Data.This issue affects 12 Step Meeting List: from n/a through <= 3.19.9.
AnalysisAI
The AA Web Servant 12 Step Meeting List WordPress plugin through version 3.19.9 exposes sensitive information in sent data, allowing unauthenticated remote attackers to retrieve embedded sensitive data with low confidentiality impact. This information disclosure vulnerability has an EPSS score of 0.02% (5th percentile), indicating minimal real-world exploitation probability despite moderate CVSS scoring.
Technical ContextAI
The vulnerability stems from CWE-201 (Insertion of Sensitive Information Into Sent Data), which occurs when an application includes sensitive information in outbound communications (HTTP responses, API data, or transmitted content). In the context of the 12 Step Meeting List plugin (a WordPress plugin for managing AA/12-step meeting information), the issue involves embedding sensitive data in responses that can be accessed without authentication. The plugin is identified by CPE cpe:2.3:a:aa_web_servant:12_step_meeting_list and affects all versions from the initial release through version 3.19.9. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates the data is retrievable via network access with low complexity and no user interaction required.
RemediationAI
Update the 12 Step Meeting List plugin to the latest available version beyond 3.19.9 as released by AA Web Servant. Users should access the WordPress plugin repository or the plugin's official distribution channel to confirm the current patched version. If an immediate patch beyond 3.19.9 is not yet available, temporarily disable the plugin or restrict access to affected endpoints until an update is published. Refer to the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/12-step-meeting-list/vulnerability/wordpress-12-step-meeting-list-plugin-3-19-9-sensitive-data-exposure-vulnerability) for detailed remediation guidance and the NIST NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-39570) for vulnerability details.
More in 12 Step Meeting List
View allMissing Authorization vulnerability in Code for Recovery 12 Step Meeting List.14.28. Rated high severity (CVSS 8.8), thi
Broken access control in AA Web Servant 12 Step Meeting List plugin version 3.19.9 and earlier allows authenticated user
Server-Side Request Forgery (SSRF) vulnerability in Code for Recovery 12 Step Meeting List.14.24. Rated medium severity
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20217
GHSA-cpv9-p867-3vp3