Description
The PDF Resume Parser plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0. This is due to the plugin registering an AJAX action handler that is accessible to unauthenticated users and exposes SMTP configuration data including credentials. This makes it possible for unauthenticated attackers to extract sensitive SMTP credentials (username and password) from the WordPress configuration, which could be leveraged to compromise email accounts and potentially gain unauthorized access to other systems using the same credentials.
Published: 2026-01-14
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The PDF Resume Parser plugin for WordPress contains a handler for an AJAX action that can be called by anyone without authentication. The handler returns the SMTP configuration stored in the WordPress settings, including the username and password. This leaks sensitive credentials and can enable an attacker to compromise the email account that the site uses or to exfiltrate further data using those credentials.

Affected Systems

Any WordPress site that has installed the kiwicommerce PDF Resume Parser plugin in version 1.0 or earlier is impacted. The vulnerability exists in all releases up to and including 1.0 and affects any installation that has granted public access to the AJAX endpoint.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate risk, and the EPSS score is below 1%, meaning the likelihood of recent exploitation is low. The vulnerability is not listed in the CISA KEV catalog. Because the AJAX action is unauthenticated, an attacker only needs the web address of the site to trigger the request. Successful exploitation results in the attacker learning the SMTP credentials, which could be used to send spam, phishing messages, or access a broader network that shares the same credentials. Since no privileged context is required, the attack is straightforward but the potential damage depends on how the credentials are used elsewhere.

Generated by OpenCVE AI on April 21, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the PDF Resume Parser plugin to a version that removes or protects the AJAX endpoint.
  • If no update is available, disable the plugin’s AJAX action by adding a capability requirement or removing the handler from the code.
  • Ensure that the SMTP credentials are stored in a secure manner (e.g., using WordPress’s native settings or a vault) and double‑check that the plugin no longer exposes them via public endpoints.

Generated by OpenCVE AI on April 21, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 14 Jan 2026 05:45:00 +0000

Type Values Removed Values Added
Description The PDF Resume Parser plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0. This is due to the plugin registering an AJAX action handler that is accessible to unauthenticated users and exposes SMTP configuration data including credentials. This makes it possible for unauthenticated attackers to extract sensitive SMTP credentials (username and password) from the WordPress configuration, which could be leveraged to compromise email accounts and potentially gain unauthorized access to other systems using the same credentials.
Title PDF Resume Parser <= 1.0 - Unauthenticated Sensitive Information Disclosure in SMTP Credentials
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:41.143Z

Reserved: 2025-12-10T16:02:23.485Z

Link: CVE-2025-14464

cve-icon Vulnrichment

Updated: 2026-01-14T15:44:18.324Z

cve-icon NVD

Status : Deferred

Published: 2026-01-14T06:15:52.440

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14464

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T16:30:40Z

Weaknesses