Description
Insertion of Sensitive Information Into Sent Data vulnerability in Saeed Sattar Beglou Hesabfa Accounting hesabfa-accounting allows Retrieve Embedded Sensitive Data.This issue affects Hesabfa Accounting: from n/a through <= 2.2.5.
Published: 2025-08-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Hesabfa Accounting plugin for WordPress has a flaw that allows the plugin to write sensitive information, such as user credentials or financial details, into log files. This flaw is classified as CWE‑201 (Information Exposure). If an attacker can read these log files, they can recover the embedded sensitive data, compromising confidentiality.

Affected Systems

WordPress installations running the Saeed Sattar Beglou Hesabfa Accounting plugin version 2.2.5 or earlier are affected. The vulnerability applies regardless of the operating system because the plugin functions within the WordPress environment.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact, and the EPSS score of less than 1% suggests that public exploitation is rare. The vulnerability does not appear in the CISA KEV catalog, indicating no known high‑profile exploitation. Exploitation would require the attacker to access the log files where the sensitive data is stored, which may be achievable if the logs are placed in a publicly reachable location or if the attacker can read the server file system. Without such access, the risk remains limited to scenarios where an attacker can reach the logs through some other misconfiguration or user privilege.

Generated by OpenCVE AI on April 30, 2026 at 15:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of the Hesabfa Accounting plugin (version 2.2.6 or later) to remove the log‑file flaw.
  • If an upgrade is not immediately possible, restrict access to the plugin’s log directory by setting file permissions to prevent web access or by moving the directory outside the web‑root.
  • Disable or limit logging of sensitive data within the plugin configuration, or modify the plugin’s logging mechanism to exclude confidential information.
  • Monitor the plugin’s log files for unauthorized reads or modifications and configure alerts for suspicious activity.

Generated by OpenCVE AI on April 30, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26018 Insertion of Sensitive Information Into Sent Data vulnerability in Saeed Sattar Beglou Hesabfa Accounting allows Retrieve Embedded Sensitive Data. This issue affects Hesabfa Accounting: from n/a through 2.2.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information Into Sent Data vulnerability in Saeed Sattar Beglou Hesabfa Accounting allows Retrieve Embedded Sensitive Data. This issue affects Hesabfa Accounting: from n/a through 2.2.4. Insertion of Sensitive Information Into Sent Data vulnerability in Saeed Sattar Beglou Hesabfa Accounting hesabfa-accounting allows Retrieve Embedded Sensitive Data.This issue affects Hesabfa Accounting: from n/a through <= 2.2.5.
Title WordPress Hesabfa Accounting plugin <= 2.2.4 - Sensitive Data Exposure via Log File vulnerability WordPress Hesabfa Accounting plugin <= 2.2.5 - Sensitive Data Exposure via Log File vulnerability
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Thu, 28 Aug 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 28 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information Into Sent Data vulnerability in Saeed Sattar Beglou Hesabfa Accounting allows Retrieve Embedded Sensitive Data. This issue affects Hesabfa Accounting: from n/a through 2.2.4.
Title WordPress Hesabfa Accounting plugin <= 2.2.4 - Sensitive Data Exposure via Log File vulnerability
Weaknesses CWE-201
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:57.356Z

Reserved: 2025-05-19T14:41:55.779Z

Link: CVE-2025-48361

cve-icon Vulnrichment

Updated: 2025-08-28T13:32:03.993Z

cve-icon NVD

Status : Deferred

Published: 2025-08-28T13:15:56.650

Modified: 2026-04-23T15:31:10.833

Link: CVE-2025-48361

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T15:45:40Z

Weaknesses
  • CWE-201

    Insertion of Sensitive Information Into Sent Data