Description
The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 16.26.10 via the 'feed' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to view data from password protected, private, or draft posts that they should not have access to.
Published: 2025-03-08
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Exposure
Action: Patch Update
AI Analysis

Impact

The WP‑Recall – Registration, Profile, Commerce & More plugin for WordPress contains an information exposure flaw that allows unauthenticated attackers to retrieve content from password protected, private, or draft posts via the 'feed' shortcode. The vulnerability arises because the plugin does not properly restrict which posts may be included, violating the intended access controls. As a result, attackers can read confidential post data, compromising user privacy and content confidentiality.

Affected Systems

The affected vendor is WP‑Recall, a WordPress plugin that provides registration, profile, commerce, and related functionality. All versions up to and including 16.26.10 are vulnerable. The flaw resides in the plugin's processing of the 'feed' shortcode, which does not properly restrict which posts may be included.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at the current time. The vulnerability does not appear in the CISA KEV catalog, and there are no indications that a public exploit is actively circulating. The likely attack vector involves placing or requesting the 'feed' shortcode from a public page, thereby triggering the plugin to expose restricted post content. While the exploitation requires no special privileges, the impact is limited to inadvertent leakage of post data.

Generated by OpenCVE AI on April 21, 2026 at 22:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP‑Recall plugin to a version newer than 16.26.10 that resolves the shortcode restriction issue.
  • Restrict the use of the 'feed' shortcode or the plugin’s feed feature to authenticated users only, or remove it altogether if it is not required.
  • Review post visibility settings and ensure that password‑protected, private, or draft posts are excluded from any procedures or feeds that expose content to unauthenticated contexts.

Generated by OpenCVE AI on April 21, 2026 at 22:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-6292 The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 16.26.10 via the 'feed' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to view data from password protected, private, or draft posts that they should not have access to.
History

Thu, 13 Mar 2025 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Plechevandrey
Plechevandrey wp-recall
Weaknesses CWE-22
NVD-CWE-noinfo
CPEs cpe:2.3:a:plechevandrey:wp-recall:*:*:*:*:*:wordpress:*:*
Vendors & Products Plechevandrey
Plechevandrey wp-recall

Tue, 11 Mar 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 08 Mar 2025 09:30:00 +0000

Type Values Removed Values Added
Description The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 16.26.10 via the 'feed' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to view data from password protected, private, or draft posts that they should not have access to.
Title WP-Recall – Registration, Profile, Commerce & More <= 16.26.10 - Authenticated (Contributor+) Protected Post Disclosure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Plechevandrey Wp-recall
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:21:10.668Z

Reserved: 2025-02-14T23:28:25.553Z

Link: CVE-2025-1322

cve-icon Vulnrichment

Updated: 2025-03-10T16:56:56.801Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-08T10:15:10.583

Modified: 2025-03-13T13:01:31.400

Link: CVE-2025-1322

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:15:45Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • NVD-CWE-noinfo