Description
Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Greg TailPress tailpress allows Retrieve Embedded Sensitive Data.This issue affects TailPress: from n/a through <= 0.4.4.
Published: 2025-04-03
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The TailPress plugin for WordPress incorporates a flaw that allows it to write sensitive information—such as credentials, tokens, or personal data—to files or directories that are publicly viewable. This flaw, classified as CWE‑538, means that anyone who can access the web server can read these files, leading to direct exposure of confidential data.

Affected Systems

Any WordPress site that has installed the TailPress plugin version 0.4.4 or earlier is affected. Those sites are at risk if the plugin’s output files are served from web‑accessible directories such as the uploads or plugin folder. Sites with newer releases are presumed unaffected because the issue does not apply to versions beyond 0.4.4.

Risk and Exploitability

The vulnerability scores a CVSS 5.8, indicating a moderate risk, and the EPSS score is below 1%, suggesting a low likelihood of exploitation at the moment. It is not currently listed in the CISA KEV catalog. Attackers would likely exploit this weakness by sending crafted requests that trigger the plugin to write data to public paths or simply by browsing the web root for already‑written files. Because the data is exposed via the web server, the attack does not require privileged access, making the attack vector effectively remote, though it relies on the vulnerable plugin’s code and web server configuration.

Generated by OpenCVE AI on May 1, 2026 at 01:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TailPress to the latest available release, which removes the publicly writable files.
  • Restrict file permissions on WordPress uploads and plugin directories so that non‑group users cannot read sensitive files; consider setting permissions to 640 or using .htaccess deny rules.
  • Search the site’s public file system for any files containing sensitive data that were created by TailPress and delete them, or configure a web server restriction to block direct access to those files.

Generated by OpenCVE AI on May 1, 2026 at 01:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-14749 Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Greg TailPress allows Retrieve Embedded Sensitive Data. This issue affects TailPress: from n/a through 0.4.4.
History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Greg TailPress allows Retrieve Embedded Sensitive Data. This issue affects TailPress: from n/a through 0.4.4. Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Greg TailPress tailpress allows Retrieve Embedded Sensitive Data.This issue affects TailPress: from n/a through <= 0.4.4.
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}

Thu, 03 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 03 Apr 2025 13:45:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Greg TailPress allows Retrieve Embedded Sensitive Data. This issue affects TailPress: from n/a through 0.4.4.
Title WordPress TailPress plugin <= 0.4.4 - Sensitive Data Exposure vulnerability
Weaknesses CWE-538
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:02:16.852Z

Reserved: 2025-03-31T10:05:35.681Z

Link: CVE-2025-31558

cve-icon Vulnrichment

Updated: 2025-04-03T15:00:02.733Z

cve-icon NVD

Status : Deferred

Published: 2025-04-03T14:15:37.090

Modified: 2026-04-29T10:16:45.193

Link: CVE-2025-31558

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T01:15:05Z

Weaknesses