Skip to main content

12 Step Meeting List EUVDEUVD-2026-20217

| CVE-2026-39570 MEDIUM
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-04-08 Patchstack GHSA-cpv9-p867-3vp3
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 14, 2026 - 18:22 vuln.today
CVSS changed
Apr 14, 2026 - 18:22 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20217
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Insertion of Sensitive Information Into Sent Data vulnerability in AA Web Servant 12 Step Meeting List 12-step-meeting-list allows Retrieve Embedded Sensitive Data.This issue affects 12 Step Meeting List: from n/a through <= 3.19.9.

AnalysisAI

The AA Web Servant 12 Step Meeting List WordPress plugin through version 3.19.9 exposes sensitive information in sent data, allowing unauthenticated remote attackers to retrieve embedded sensitive data with low confidentiality impact. This information disclosure vulnerability has an EPSS score of 0.02% (5th percentile), indicating minimal real-world exploitation probability despite moderate CVSS scoring.

Technical ContextAI

The vulnerability stems from CWE-201 (Insertion of Sensitive Information Into Sent Data), which occurs when an application includes sensitive information in outbound communications (HTTP responses, API data, or transmitted content). In the context of the 12 Step Meeting List plugin (a WordPress plugin for managing AA/12-step meeting information), the issue involves embedding sensitive data in responses that can be accessed without authentication. The plugin is identified by CPE cpe:2.3:a:aa_web_servant:12_step_meeting_list and affects all versions from the initial release through version 3.19.9. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates the data is retrievable via network access with low complexity and no user interaction required.

RemediationAI

Update the 12 Step Meeting List plugin to the latest available version beyond 3.19.9 as released by AA Web Servant. Users should access the WordPress plugin repository or the plugin's official distribution channel to confirm the current patched version. If an immediate patch beyond 3.19.9 is not yet available, temporarily disable the plugin or restrict access to affected endpoints until an update is published. Refer to the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/12-step-meeting-list/vulnerability/wordpress-12-step-meeting-list-plugin-3-19-9-sensitive-data-exposure-vulnerability) for detailed remediation guidance and the NIST NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-39570) for vulnerability details.

Share

EUVD-2026-20217 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy