Description
Insertion of Sensitive Information Into Sent Data vulnerability in brandtoss WP Mailster wp-mailster allows Retrieve Embedded Sensitive Data.This issue affects WP Mailster: from n/a through <= 1.8.17.0.
Published: 2025-01-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an insertion of sensitive information into outbound email data via the WP Mailster plugin. An attacker can retrieve confidential data that was unintentionally embedded in the email payload created by the plugin, potentially exposing private user information or system credentials. This flaw arises from improper handling of sensitive content in the email generation process and results in unauthorized disclosure of protected data.

Affected Systems

The flaw affects the WP Mailster plugin developed by brandtoss for WordPress. Versions up to and including 1.8.17.0 are impacted. WordPress sites that install or rely on those plugin versions are vulnerable to sensitive data leakage through the plugin’s email functionality.

Risk and Exploitability

The CVSS base score is 5.3, indicating moderate severity, while the EPSS score is below 1%, suggesting a very low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation would typically require the attacker to trigger the plugin’s email sending logic, which could be achieved through normal site operations or by submitting input that causes emails to be sent. Although no public exploit is known, the low EPSS score and lack of a KEV listing reduce the immediate risk, making regular monitoring and patching the most effective mitigations.

Generated by OpenCVE AI on May 2, 2026 at 06:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading WP Mailster to any release newer than 1.8.17.0, which resolves the CWE‑201 issue by ensuring sensitive data is not inadvertently included in outgoing emails.
  • Disable or uninstall WP Mailster if the functionality is not required, or restrict its use to trusted administrators only, to limit potential exposure of sensitive information.
  • Review and sanitize outgoing email content, ensuring that any fields that could contain protected data are excluded or properly masked in accordance with CWE‑201 best practices.

Generated by OpenCVE AI on May 2, 2026 at 06:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2703 Insertion of Sensitive Information Into Sent Data vulnerability in brandtoss WP Mailster allows Retrieve Embedded Sensitive Data.This issue affects WP Mailster: from n/a through 1.8.17.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information Into Sent Data vulnerability in brandtoss WP Mailster allows Retrieve Embedded Sensitive Data.This issue affects WP Mailster: from n/a through 1.8.17.0. Insertion of Sensitive Information Into Sent Data vulnerability in brandtoss WP Mailster wp-mailster allows Retrieve Embedded Sensitive Data.This issue affects WP Mailster: from n/a through <= 1.8.17.0.
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Tue, 11 Feb 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Wpmailster
Wpmailster wp Mailster
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:a:wpmailster:wp_mailster:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpmailster
Wpmailster wp Mailster

Tue, 07 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Jan 2025 11:00:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information Into Sent Data vulnerability in brandtoss WP Mailster allows Retrieve Embedded Sensitive Data.This issue affects WP Mailster: from n/a through 1.8.17.0.
Title WordPress WP Mailster plugin <= 1.8.17.0 - Sensitive Data Exposure vulnerability
Weaknesses CWE-201
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wpmailster Wp Mailster
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:10:58.852Z

Reserved: 2025-01-03T13:16:00.603Z

Link: CVE-2025-22303

cve-icon Vulnrichment

Updated: 2025-01-07T15:55:29.707Z

cve-icon NVD

Status : Modified

Published: 2025-01-07T11:15:14.563

Modified: 2026-04-23T15:22:58.540

Link: CVE-2025-22303

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T07:00:06Z

Weaknesses