CVE-2025-31001 - Vulnerability Details

- WordPress GTM Kit plugin <= 2.4.0 - Sensitive Data Exposure vulnerability

Description

Debug Messages Revealing Unnecessary Information vulnerability in TLA Media GTM Kit gtm-kit allows Retrieve Embedded Sensitive Data.This issue affects GTM Kit: from n/a through <= 2.4.0.

Published: 2025-04-01

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The GTM Kit plugin for WordPress contains a flaw in which debug messages reveal unnecessary information, enabling an attacker to retrieve embedded sensitive data. This privacy information disclosure undermines confidentiality, potentially allowing access to configuration details or personal information without requiring system compromise. The weakness is classified as CWE‑1295, a privacy data disclosure vulnerability.

Affected Systems

WordPress sites that include the GTM Kit plugin from any version up to and including 2.4.0 are affected. The vendor is TLA Media, and the product is the GTM Kit WordPress plugin. No sub‑version list beyond the upper bound of 2.4.0 is available.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity impact. The EPSS score of less than 1% suggests that exploitation attempts are currently rare, and the vulnerability is not listed in the CISA KEV catalog. Likely exploitation requires an actor who can trigger or view the debug output; this may necessitate authenticated administrative access or the plugin displaying logs in the web interface. Once activated, an attacker could harvest sensitive configuration or personal data without altering the system in a destructive manner.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

TLA Media

GTM Kit

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.4.0

No data.

Vendor	Product	Confidence	Versions
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade GTM Kit to the latest available version
Disable debug logging in the plugin configuration or in WordPress’s wp-config.php
Restrict access to any log files or debug output so that only authorized administrators can view them

Generated by OpenCVE AI on May 2, 2026 at 02:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-9072	Debug Messages Revealing Unnecessary Information vulnerability in TLA Media GTM Kit allows Retrieve Embedded Sensitive Data. This issue affects GTM Kit: from n/a through 2.3.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00233.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/gtm-kit/vulnerability/wordpress-gtm-kit-plugin-2-3-1-sensitive-data-exposure-vulnerability?_s_id=cve

History

Wed, 29 Apr 2026 10:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Debug Messages Revealing Unnecessary Information vulnerability in TLA Media GTM Kit allows Retrieve Embedded Sensitive Data. This issue affects GTM Kit: from n/a through 2.3.1.	Debug Messages Revealing Unnecessary Information vulnerability in TLA Media GTM Kit gtm-kit allows Retrieve Embedded Sensitive Data.This issue affects GTM Kit: from n/a through <= 2.4.0.
Title	WordPress GTM Kit plugin <= 2.3.1 - Sensitive Data Exposure vulnerability	WordPress GTM Kit plugin <= 2.4.0 - Sensitive Data Exposure vulnerability
References	https://patchstack.com/database/wordpress/plugin/gtm-kit/vulnerability/wordpress-gtm-kit-plugin-2-3-1-sensitive-data-exposure-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/gtm-kit/vulnerability/wordpress-gtm-kit-plugin-2-3-1-sensitive-data-exposure-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Tue, 01 Apr 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 01 Apr 2025 05:45:00 +0000

Type	Values Removed	Values Added
Description		Debug Messages Revealing Unnecessary Information vulnerability in TLA Media GTM Kit allows Retrieve Embedded Sensitive Data. This issue affects GTM Kit: from n/a through 2.3.1.
Title		WordPress GTM Kit plugin <= 2.3.1 - Sensitive Data Exposure vulnerability
Weaknesses		CWE-1295
References		https://patchstack.com/database/wordpress/plugin/gtm-kit/vulnerability/wordpress-gtm-kit-plugin-2-3-1-sensitive-data-exposure-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-04-01T05:32:24.584Z

Updated: 2026-04-29T09:51:54.810Z

Reserved: 2025-03-26T09:22:48.162Z

Link: CVE-2025-31001

Vulnrichment

Updated: 2025-04-01T13:35:30.891Z

NVD

Status : Deferred

Published: 2025-04-01T06:15:55.710

Modified: 2026-04-29T10:16:44.660

Link: CVE-2025-31001

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-02T03:00:13Z

Weaknesses

CWE-1295

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object