Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data.This issue affects Templately: from n/a through 3.6.1.
AnalysisAI
Sensitive data exposure in Templately WordPress plugin ≤3.6.1 allows authenticated attackers to retrieve embedded sensitive information via network requests. The vulnerability exhibits scope change (S:C) indicating potential cross-boundary impact, with high confidentiality impact but no integrity or availability effects. CVSS 7.7 severity driven by network accessibility and low attack complexity. No CISA KEV listing indicates no confirmed widespread exploitation. Reported by Patchstack's audit team with reference to their vulnerability database entry.
Technical ContextAI
This vulnerability affects the Templately WordPress plugin, a template management system for WordPress site builders. CWE-201 (Insertion of Sensitive Information Into Sent Data) indicates the plugin improperly includes sensitive information in responses sent to clients - typically through API endpoints, AJAX handlers, or data serialization mechanisms that expose information beyond what the requester should access. The Changed scope (S:C) in the CVSS vector suggests the vulnerability may allow access to resources outside the plugin's normal security boundary, potentially affecting WordPress core data, other plugins' data, or database contents. This class of vulnerability commonly arises from insufficient output filtering in REST API endpoints, inadequate access controls on AJAX actions, or debug information leaking into production responses.
RemediationAI
Upgrade Templately plugin to version 3.6.2 or later if available - verify current version at WordPress.org plugin repository or WPDeveloper's official site. Consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/templately/vulnerability/wordpress-templately-plugin-3-6-1-sensitive-data-exposure-vulnerability for vendor-confirmed fix version. If no patched version exists, implement compensating controls: restrict plugin access to only trusted administrator accounts by removing Contributor/Author/Editor capabilities for Templately features; monitor WordPress access logs for unusual API requests to Templately endpoints; implement Web Application Firewall rules to inspect and filter responses from Templately AJAX handlers for sensitive patterns (database credentials, API keys, system paths). Consider temporarily disabling the plugin if template management functionality is non-critical until patch confirmation. Note that restricting user roles may impact legitimate workflow for content creators who require template access.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25797