Description
Insertion of sensitive information into sent data vulnerability in MarketingFire Widget Options allows Retrieve Embedded Sensitive Data.

This issue affects Widget Options: from n/a through 4.0.1.
Published: 2026-06-17
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The MarketingFire Widget Options plugin (any version up to 4.0.1) contains a flaw that allows sensitive user meta data to be embedded in data sent by the plugin. An attacker can cause the plugin to expose subscriber and user meta values through this data injection, resulting in unauthorized disclosure of private information.

Affected Systems

The vulnerability exists in all releases of the MarketingFire Widget Options WordPress plugin through version 4.0.1. WordPress sites that have this plugin installed are affected; the issue does not extend to other WordPress components or different plugins.

Risk and Exploitability

With a CVSS score of 6.5 this is a moderate severity weakness. No EPSS score is published and the vulnerability is not listed in the CISA KEV catalog, suggesting limited evidence of exploitation. The likely attack vector involves interacting with the WordPress site that hosts the vulnerable plugin—an attacker could manipulate plugin requests or data to trigger the information leak.

Generated by OpenCVE AI on June 18, 2026 at 11:56 UTC.

Remediation

Vendor Solution

Update the WordPress Widget Options plugin to the latest available version (at least 4.0.2).


OpenCVE Recommended Actions

  • Update the WordPress Widget Options plugin to version 4.0.2 or later
  • If the plugin is not required, remove or completely disable it from the WordPress installation
  • Re‑examine WordPress configurations and access controls to ensure no other components inadvertently expose user meta data

Generated by OpenCVE AI on June 18, 2026 at 11:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Marketingfire
Marketingfire widget-options
Wordpress
Wordpress wordpress
Vendors & Products Marketingfire
Marketingfire widget-options
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description Insertion of sensitive information into sent data vulnerability in MarketingFire Widget Options allows Retrieve Embedded Sensitive Data. This issue affects Widget Options: from n/a through 4.0.1.
Title WordPress Widget Options plugin <= 4.0.1 - Subscriber+ User Meta Data Exposure Vulnerability
Weaknesses CWE-201
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

Marketingfire Widget-options
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T12:45:17.649Z

Reserved: 2024-05-17T10:08:56.848Z

Link: CVE-2024-35690

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T12:00:16Z

Weaknesses
  • CWE-201

    Insertion of Sensitive Information Into Sent Data