Description
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in mediavine Mediavine Control Panel mediavine-control-panel allows Retrieve Embedded Sensitive Data.This issue affects Mediavine Control Panel: from n/a through <= 2.10.6.
Published: 2025-04-16
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the mediavine-control-panel plugin for WordPress and allows an unauthorized control sphere to retrieve embedded sensitive system information. This results in the disclosure of confidential data that the plugin stores as configuration values. The weakness is categorized as CWE‑497, which is a confidentiality compromise through improper disclosure of sensitive information.

Affected Systems

Affected systems are WordPress sites that have the Mediavine Control Panel plugin installed, specifically versions up to and including 2.10.6. All earlier releases are also impacted because the issue exists from n/a through 2.10.6. Site administrators should review the plugin version used on their installations.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity. The EPSS score of less than 1% reflects a very low current probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the vulnerability can be exploited by sending requests to the plugin’s data retrieval functionality, and the attacker needs either unauthenticated or potentially authenticated access to the plugin’s control page. Because the sensitive data is exposed without proper access checks, the risk persists as long as the plugin remains on a WordPress installation.

Generated by OpenCVE AI on April 30, 2026 at 22:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the installed version of the Mediavine Control Panel plugin; if it is 2.10.6 or earlier, update to a newer release.
  • Apply the latest plugin release (2.10.7 or newer) provided by the vendor to eliminate the exposed data retrieval capability.
  • If an update cannot be applied immediately, restrict unauthorized access to the plugin’s data endpoints by configuring web‑server access controls or disable the data retrieval feature via the plugin settings if available.
  • Conduct an audit of the WordPress installation to confirm that no other plugins expose sensitive data, and run vulnerability scanners to ensure the issue has been remedied.

Generated by OpenCVE AI on April 30, 2026 at 22:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11309 Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in mediavine Mediavine Control Panel allows Retrieve Embedded Sensitive Data. This issue affects Mediavine Control Panel: from n/a through 2.10.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in mediavine Mediavine Control Panel allows Retrieve Embedded Sensitive Data. This issue affects Mediavine Control Panel: from n/a through 2.10.6. Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in mediavine Mediavine Control Panel mediavine-control-panel allows Retrieve Embedded Sensitive Data.This issue affects Mediavine Control Panel: from n/a through <= 2.10.6.
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 16 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 16 Apr 2025 13:15:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in mediavine Mediavine Control Panel allows Retrieve Embedded Sensitive Data. This issue affects Mediavine Control Panel: from n/a through 2.10.6.
Title WordPress Mediavine Control Panel plugin <= 2.10.6 - Sensitive Data Exposure vulnerability
Weaknesses CWE-497
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Mediavine Mediavine Control Panel
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:34.675Z

Reserved: 2025-04-16T06:24:54.680Z

Link: CVE-2025-39556

cve-icon Vulnrichment

Updated: 2025-04-16T14:59:00.745Z

cve-icon NVD

Status : Deferred

Published: 2025-04-16T13:15:48.560

Modified: 2026-04-23T15:29:47.070

Link: CVE-2025-39556

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T22:45:03Z

Weaknesses