Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Insertion of Sensitive Information Into Sent Data vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Retrieve Embedded Sensitive Data.This issue affects Smart Online Order for Clover: from n/a through <= 1.6.0.
AnalysisAI
Sensitive data exposure in the ZAYTECH "Smart Online Order for Clover" WordPress plugin (all versions through 1.6.0) allows remote unauthenticated attackers to retrieve embedded sensitive information that the plugin inserts into data it sends. The CVSS 3.1 base score is 7.3 with a network/no-auth vector but only Low impact across confidentiality, integrity, and availability. There is no public exploit identified at time of analysis, and EPSS scores exploitation probability at just 0.04% (11th percentile), indicating low likelihood of opportunistic mass exploitation despite the easy attack path.
Technical ContextAI
The affected component is a WordPress plugin (slug: clover-online-orders) developed by ZAYTECH that integrates a WordPress site with the Clover point-of-sale platform to enable online ordering. The root cause is classified as CWE-201 (Insertion of Sensitive Information Into Sent Data), a weakness in which an application embeds sensitive values - such as API keys, tokens, internal identifiers, or configuration data - into responses, messages, or outbound payloads that are exposed to actors who should not have access to them. Unlike a classic injection or memory-corruption bug, CWE-201 is a design/data-handling flaw where the sensitive data is leaked through legitimate-looking output channels of the plugin. No CPE 2.3 strings were provided in the source data; affected scope is defined by the EUVD version range rather than formal CPE enumeration.
RemediationAI
No vendor-released patch version is identified in the available data - the source only confirms that versions up to and including 1.6.0 are vulnerable, with no explicit fixed version stated, so administrators should consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/clover-online-orders/vulnerability/wordpress-smart-online-order-for-clover-plugin-1-6-0-sensitive-data-exposure-vulnerability?_s_id=cve) and the WordPress.org plugin page for any release newer than 1.6.0 and upgrade as soon as one is published. Until a fixed version is confirmed, deploy a WordPress-aware web application firewall (such as Patchstack's virtual patching) to filter requests to the plugin's endpoints; this adds latency and rule-maintenance overhead but does not change plugin functionality. Restrict network access to the plugin's request handlers via server-level rules or IP allow-listing where the ordering interface is only used by known parties, accepting that this may break legitimate customer access for public storefronts. As a last resort, deactivate and remove the plugin to fully eliminate exposure, at the cost of losing the Clover online-ordering integration.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32195
GHSA-r797-7chf-m2f5