Description
The DAP to Autoresponders Email Syncing plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0 through the publicly accessible phpinfo.php script. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed file.
Published: 2025-03-29
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Apply Patch
AI Analysis

Impact

The DAP to Autoresponders Email Syncing plugin for WordPress contains a publicly accessible phpinfo.php script that reveals configuration details and other sensitive data. Because the file is reachable without authentication, an attacker can obtain server environment variables, database credentials, and other secrets, resulting in a loss of confidentiality. This weakness is classified as CWE-200.

Affected Systems

The vulnerability affects all releases of the DAP to Autoresponders Email Syncing plugin up to and including version 1.0, as provided by the vendor bhuvnesh. No further version information is available, so any installation using version 1.0 or earlier is potentially exposed.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact, but the EPSS score of < 1% suggests a very low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw by simply accessing the phpinfo.php file via any web browser, as the script is unauthenticated and directly served by WordPress. The attack requires no special privileges and thus poses a straightforward risk to any site hosting the affected plugin.

Generated by OpenCVE AI on April 21, 2026 at 21:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a patched version of the DAP to Autoresponders Email Syncing plugin that removes or secures the phpinfo.php script.
  • If no patch is available, delete the phpinfo.php file or place it behind authentication or firewall rules to block public access.
  • Verify that all WordPress plugin files in the plugin directory are not world‑readable and that default permissions prevent accidental exposure.

Generated by OpenCVE AI on April 21, 2026 at 21:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8677 The DAP to Autoresponders Email Syncing plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0 through the publicly accessible phpinfo.php script. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed file.
History

Mon, 31 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 29 Mar 2025 07:15:00 +0000

Type Values Removed Values Added
Description The DAP to Autoresponders Email Syncing plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0 through the publicly accessible phpinfo.php script. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed file.
Title DAP to Autoresponders Email Syncing <= 1.0 - Unauthenticated Information Exposure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:18.685Z

Reserved: 2025-03-27T00:04:13.307Z

Link: CVE-2025-2840

cve-icon Vulnrichment

Updated: 2025-03-31T13:19:49.401Z

cve-icon NVD

Status : Deferred

Published: 2025-03-29T07:15:19.317

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2840

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:45:25Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor