Description
The KiotViet Sync plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.5 via the register_api_route() function in kiotvietsync/includes/public_actions/WebHookAction.php. This makes it possible for unauthenticated attackers to extract the webhook token value when configured.
Published: 2025-11-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Apply Patch
AI Analysis

Impact

The KiotViet Sync plugin for WordPress contains a flaw that allows an unauthenticated attacker to learn the webhook token. The vulnerability stems from the register_api_route() function in WebHookAction.php, which exposes the token value when it is configured. Because the webhook token grants privileged access to the service, disclosure enables an attacker to perform token‑based operations or abuse the integration.

Affected Systems

Vulnerable versions of the KiotViet Sync WordPress plugin (up to and including 1.8.5). The flaw exists in all builds from the earliest release to 1.8.5, regardless of other configuration. The affected product is identified as mykiot:KiotViet Sync.

Risk and Exploitability

The CVSS base score is 5.3, classifying the issue as Medium severity. The EPSS score is less than 1%, indicating a low probability of exploitation at this time. The weakness is not listed in CISA KEV. Based on the description, it is inferred that the flaw can be triggered by any web request to the plugin, although the exact request path is not explicitly specified. The vulnerability does not require authentication or elevated privileges. An attacker who discovers the token can then use it to interact with the webhook API and potentially compromise the target site or the backend service.

Generated by OpenCVE AI on April 28, 2026 at 10:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the KiotViet Sync plugin to the latest version available in the WordPress plugin repository.
  • If an update cannot be performed immediately, remove or disable the plugin’s webhook functionality to prevent token exposure.
  • Monitor the plugin’s public updates and vulnerability advisories for patch releases.

Generated by OpenCVE AI on April 28, 2026 at 10:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 06 Nov 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 05 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 05 Nov 2025 07:45:00 +0000

Type Values Removed Values Added
Description The KiotViet Sync plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.5 via the register_api_route() function in kiotvietsync/includes/public_actions/WebHookAction.php. This makes it possible for unauthenticated attackers to extract the webhook token value when configured.
Title KiotViet Sync <= 1.8.5 - Unauthenticated Webhook Key Exposure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:36:11.598Z

Reserved: 2025-11-03T22:04:56.746Z

Link: CVE-2025-12677

cve-icon Vulnrichment

Updated: 2025-11-05T14:21:37.236Z

cve-icon NVD

Status : Deferred

Published: 2025-11-05T08:15:33.843

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12677

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T10:30:29Z

Weaknesses