Skip to main content

WP EasyPay EUVDEUVD-2026-29457

| CVE-2026-45215 MEDIUM
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-05-12 Patchstack GHSA-fmc2-cwhh-xqrv
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 11:32 vuln.today
CVE Published
May 12, 2026 - 11:02 nvd
MEDIUM 5.3

DescriptionCVE.org

Insertion of Sensitive Information Into Sent Data vulnerability in Saad Iqbal WP EasyPay wp-easy-pay allows Retrieve Embedded Sensitive Data.This issue affects WP EasyPay: from n/a through <= 4.3.0.

AnalysisAI

WP EasyPay plugin through version 4.3.0 exposes sensitive information in sent data, allowing unauthenticated remote attackers to retrieve embedded data without user interaction. The vulnerability stems from improper handling of sensitive data during transmission, classified as an information disclosure issue with a CVSS score of 5.3 (network-accessible, low complexity). No active exploitation has been confirmed in CISA KEV at the time of analysis.

Technical ContextAI

WP EasyPay is a WordPress payment processing plugin that handles financial transactions. The vulnerability involves CWE-201 (Insertion of Sensitive Information Into Sent Data), which occurs when an application transmits sensitive information (such as credentials, API keys, or transaction details) in a manner that can be intercepted or retrieved by unauthorized parties. This typically manifests in payment gateways when API responses, form data, or transaction logs contain unencrypted or inadequately masked sensitive fields. The plugin's failure to properly sanitize or encrypt sensitive fields before transmission creates a direct information disclosure channel accessible over the network.

RemediationAI

Upgrade WP EasyPay to a patched version released after 4.3.0. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wp-easy-pay/vulnerability/wordpress-wp-easypay-plugin-4-3-0-sensitive-data-exposure-vulnerability?_s_id=cve for the exact patched version. As an immediate compensating control, restrict access to the plugin's API endpoints and transaction log pages to authenticated users only via Web Application Firewall (WAF) rules or .htaccess restrictions; document which endpoints expose sensitive data and block them from public access pending patching. Ensure all payment processing occurs over HTTPS with HSTS headers enforced. Review web server access logs and database transaction records for evidence of sensitive data retrieval by unauthorized parties. If upgrade is delayed, disable the plugin entirely and switch to an alternative payment gateway until the patch is deployed.

Share

EUVD-2026-29457 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy