Impact
The MarketingFire Widget Options plugin (any version up to 4.0.1) contains a flaw that allows sensitive user meta data to be embedded in data sent by the plugin. An attacker can cause the plugin to expose subscriber and user meta values through this data injection, resulting in unauthorized disclosure of private information.
Affected Systems
The vulnerability exists in all releases of the MarketingFire Widget Options WordPress plugin through version 4.0.1. WordPress sites that have this plugin installed are affected; the issue does not extend to other WordPress components or different plugins.
Risk and Exploitability
With a CVSS score of 6.5 this is a moderate severity weakness. No EPSS score is published and the vulnerability is not listed in the CISA KEV catalog, suggesting limited evidence of exploitation. The likely attack vector involves interacting with the WordPress site that hosts the vulnerable plugin—an attacker could manipulate plugin requests or data to trigger the information leak.
OpenCVE Enrichment