Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network-reachable disclosure in a WordPress plugin yields AV:N/AC:L/PR:N/UI:N; pure information leak gives C:H, I:N, A:N with unchanged scope.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Sensitive Data Exposure in Bricksforge <= 3.1.8.4 versions.
AnalysisAI
Unauthenticated sensitive data exposure in the Bricksforge WordPress plugin versions 3.1.8.4 and earlier allows remote attackers to retrieve confidential information without any credentials. The flaw, tracked under CWE-201 (Insertion of Sensitive Information Into Sent Data), carries a CVSS 3.1 score of 7.5 driven entirely by confidentiality impact, and no public exploit has been identified at time of analysis.
Technical ContextAI
Bricksforge is a third-party add-on plugin for the Bricks Builder page-building ecosystem on WordPress, extending it with form handling, dynamic data, and admin-side workflow features. The CPE 'cpe:2.3:a:bricksforge:bricksforge' identifies the vendor's commercial plugin, and the underlying weakness CWE-201 (Insertion of Sensitive Information Into Sent Data) means the plugin embeds confidential values into responses or assets that are reachable without authentication - typically AJAX endpoints, REST routes, or rendered front-end output that should have been gated behind capability checks. Patchstack, who reported the issue, specializes in WordPress plugin vulnerabilities and coordinates fixes with plugin authors.
RemediationAI
Upstream fix availability is implied by the '<= 3.1.8.4' phrasing in the Patchstack advisory but a released patched version is not independently confirmed in the provided data; site operators should consult the Patchstack record at https://patchstack.com/database/wordpress/plugin/bricksforge/vulnerability/wordpress-bricksforge-plugin-3-1-8-4-sensitive-data-exposure-vulnerability and upgrade to the next Bricksforge release above 3.1.8.4 as soon as the vendor publishes it. Until a fixed version is installed, compensating controls include deactivating the Bricksforge plugin entirely (which will break any forms, dynamic content, or admin workflows it provides), restricting access to the affected WordPress endpoints with a WAF rule scoped to Bricksforge AJAX or REST routes (which may break legitimate front-end behavior if the plugin uses those routes for anonymous visitors), and enabling Patchstack's virtual patching service if already subscribed. Reviewing access logs for unusual hits to plugin-specific endpoints is recommended to detect prior probing.
More in Bricksforge
View allUnauthenticated privilege escalation in the Bricksforge WordPress plugin (versions ≤ 3.1.8.6) lets remote attackers crea
Missing Authorization vulnerability in Bricksforge.0.17. Rated high severity (CVSS 7.5), this vulnerability is remotely
Missing Authorization vulnerability in Bricksforge.0.17. Rated high severity (CVSS 7.5), this vulnerability is remotely
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37671