Description
Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data. This issue affects Templately: from n/a through 3.2.7.
Published: 2025-08-20
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The identified flaw in WPDeveloper’s Templately plugin permits the insertion of sensitive information into outgoing data, enabling an attacker or malicious user to retrieve embedded confidential data. The critical nature of the weakness is reflected by a CVSS score of 10, and the referenced CWE‑201 category highlights the improper handling of protected data.

Affected Systems

The vulnerability affects the WordPress Templately plugin from the earliest version through 3.2.7. It is present in all releases of the plugin distributed by WPDeveloper up to that point, but any installation using version 3.2.8 or newer is unaffected.

Risk and Exploitability

With an EPSS score of less than 1 % the probability of real‑world exploitation is low, and the vulnerability is not currently listed in the CISA KEV catalog. Nonetheless, the high CVSS score indicates that, if an attacker can embed sensitive payloads into a template that is rendered by the plugin, they could obtain data that should remain private. The likely attack vector involves the normal rendering pathway of the plugin where template contents are processed and displayed.

Generated by OpenCVE AI on April 30, 2026 at 08:14 UTC.

Remediation

Vendor Solution

Update the WordPress Templately plugin to the latest available version (at least 3.2.8).

OpenCVE Recommended Actions

  • Update the WordPress Templately plugin to version 3.2.8 or newer.
  • Review the plugin’s configuration and template files to ensure no sensitive data is hard‑coded or inadvertently included.
  • If an immediate update is not feasible, temporarily disable or remove the Templately plugin to stop possible data leakage.
  • After disabling or updating, audit site logs for any anomalous data reads that might have occurred during the vulnerability window.

Generated by OpenCVE AI on April 30, 2026 at 08:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28302 Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data. This issue affects Templately: from n/a through 3.2.7.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-434
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Unrestricted Upload of File with Dangerous Type vulnerability in WPDeveloper Premium Age Verification / Restriction for WordPress age-restriction allows Using Malicious Files.This issue affects Premium Age Verification / Restriction for WordPress: from n/a through <= 3.0.2. Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data. This issue affects Templately: from n/a through 3.2.7.
Title WordPress Premium Age Verification / Restriction for WordPress Plugin <= 3.0.2 - Arbitrary File Upload Vulnerability WordPress Templately Plugin <= 3.2.7 - Sensitive Data Exposure Vulnerability
Weaknesses CWE-201
References

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-201
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data. This issue affects Templately: from n/a through 3.2.7. Unrestricted Upload of File with Dangerous Type vulnerability in WPDeveloper Premium Age Verification / Restriction for WordPress age-restriction allows Using Malicious Files.This issue affects Premium Age Verification / Restriction for WordPress: from n/a through <= 3.0.2.
Title WordPress Templately Plugin <= 3.2.7 - Sensitive Data Exposure Vulnerability WordPress Premium Age Verification / Restriction for WordPress Plugin <= 3.0.2 - Arbitrary File Upload Vulnerability
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Thu, 21 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Templately
Templately templately
Wordpress
Wordpress wordpress
Vendors & Products Templately
Templately templately
Wordpress
Wordpress wordpress

Wed, 20 Aug 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data. This issue affects Templately: from n/a through 3.2.7.
Title WordPress Templately Plugin <= 3.2.7 - Sensitive Data Exposure Vulnerability
Weaknesses CWE-201
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Templately Templately
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:04.127Z

Reserved: 2025-06-04T15:44:12.381Z

Link: CVE-2025-49408

cve-icon Vulnrichment

Updated: 2025-08-20T18:05:29.740Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T08:15:35.863

Modified: 2026-04-28T19:33:05.473

Link: CVE-2025-49408

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T08:15:32Z

Weaknesses