Description
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in redqteam Wishlist wishlist allows Retrieve Embedded Sensitive Data.This issue affects Wishlist: from n/a through <= 2.1.0.
Published: 2025-05-16
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WordPress Wishlist plugin from redqteam allows an unauthorized user to retrieve embedded sensitive system data. Because the plugin does not enforce proper privilege checks when exposing its internal data, an attacker can obtain credentials, configuration details, or other confidential information. The flaw is classified as CWE‑497, which denotes exposure of sensitive system information to an unauthorized control sphere. By reading this exposed data an adversary could potentially advance further attacks against the WordPress site or its underlying server.

Affected Systems

Any WordPress installation that has the redqteam Wishlist plugin installed in version 2.1.0 or earlier is affected. The vulnerability applies universally to all instances of the plugin, regardless of site size, theme, or WordPress version.

Risk and Exploitability

The CVSS score is 4.3, indicating moderate severity. The EPSS score is less than 1%, showing that, at the time of analysis, the likelihood of exploitation is low. The vulnerability is not listed in CISA’s KEV catalog, so there is currently no evidence of active exploitation. Based on the description, the attack vector is likely web‑based, requiring the attacker to send crafted requests to the plugin’s front‑end or exposed API endpoints that return internal data. No public exploit was identified in the available references.

Generated by OpenCVE AI on May 1, 2026 at 08:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the redqteam Wishlist plugin to any version newer than 2.1.0, which removes the exposed data paths.
  • Disable any plugin settings that display internal data to non‑administrator users, ensuring that sensitive information is shown only to privileged roles.
  • Remove or restrict any plugin‑provided API endpoints or front‑end pages that expose sensitive data, for example by applying access‑control checks or limiting the endpoints to administrators only.

Generated by OpenCVE AI on May 1, 2026 at 08:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15465 Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in redqteam Wishlist allows Retrieve Embedded Sensitive Data. This issue affects Wishlist: from n/a through 2.1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in redqteam Wishlist allows Retrieve Embedded Sensitive Data. This issue affects Wishlist: from n/a through 2.1.0. Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in redqteam Wishlist wishlist allows Retrieve Embedded Sensitive Data.This issue affects Wishlist: from n/a through <= 2.1.0.
Title WordPress Wishlist <= 2.1.0 - Sensitive Data Exposure Vulnerability WordPress Wishlist plugin <= 2.1.0 - Sensitive Data Exposure Vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Fri, 16 May 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 May 2025 16:00:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in redqteam Wishlist allows Retrieve Embedded Sensitive Data. This issue affects Wishlist: from n/a through 2.1.0.
Title WordPress Wishlist <= 2.1.0 - Sensitive Data Exposure Vulnerability
Weaknesses CWE-497
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:17:06.096Z

Reserved: 2025-03-26T09:23:42.946Z

Link: CVE-2025-31062

cve-icon Vulnrichment

Updated: 2025-05-16T16:05:09.724Z

cve-icon NVD

Status : Deferred

Published: 2025-05-16T16:15:36.303

Modified: 2026-04-23T15:27:38.150

Link: CVE-2025-31062

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:45:06Z

Weaknesses
  • CWE-497

    Exposure of Sensitive System Information to an Unauthorized Control Sphere