The vulnerability in the Steve Burge TaxoPress WordPress plugin allows sensitive information to be inserted into data that is then transmitted. An attacker who succeeds in triggering this behavior can retrieve embedded sensitive data from the plugin’s output, effectively compromising the confidentiality of information that was not intended for exposure. The weakness is identified as CWE‑201, a Sensitive Information Exposure flaw, and the available CVSS score of 4.3 reflects a low‑to‑moderate overall severity.

WordPress sites that have the TaxoPress plugin version 3.37.2 or earlier installed are affected. The vulnerability applies to all releases from the plugin’s earliest public version through 3.37.2. This includes sites using the simple‑tags feature of TaxoPress to manage taxonomy tags.

The CSVS score of 4.3 places the issue in the medium risk range, but the EPSS score of less than 1 % indicates that exploitation is currently expected to be rare. The vulnerability is not listed in the CISA KEV catalog, further suggesting it is not actively exploited in the wild. The attack vector is not explicitly documented, but the language of the description implies an exploit may be carried out by feeding crafted input to the plugin that causes it to embed sensitive data into sent responses. If an attacker can deliver such input—likely through a web request to the WordPress installation—the exposed data could be read by the attacker or a third party.