Description
Insertion of Sensitive Information Into Sent Data vulnerability in Ideal Postcodes UK Address Postcode Validation uk-address-postcode-validation allows Retrieve Embedded Sensitive Data.This issue affects UK Address Postcode Validation: from n/a through <= 3.9.2.
Published: 2025-09-22
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Insertion of Sensitive Information Into Sent Data flaw in the Ideal Postcodes UK Address Postcode Validation plugin. It allows an attacker to retrieve embedded sensitive data from HTTP responses or other outbound data generated by the plugin. This results in a privacy breach where personal information such as addresses and postcodes may be exfiltrated. The weakness is classified as CWE-201, a sensitive data exposure vulnerability.

Affected Systems

This issue affects all installations of the Ideal Postcodes UK Address Postcode Validation WordPress plugin through version 3.9.2. The plugin is used by WordPress sites that enable postcode validation, and any site running these affected versions is vulnerable.

Risk and Exploitability

The CVSS score is 5.3, indicating medium severity, while the EPSS score is less than 1%, suggesting a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a remote request to the website that triggers the plugin’s postcode validation logic, resulting in sensitive data being sent in the response; this inference is based on the plugin’s function as described.

Generated by OpenCVE AI on April 30, 2026 at 00:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugin to the latest version (≥3.9.3) to eliminate the data exposure flaw.
  • If an update is not immediately possible, disable the postcode validation feature or restrict its use to prevent the plugin from sending sensitive data.
  • Verify and configure the plugin settings to ensure that no personal or sensitive information is included in outbound requests or responses.

Generated by OpenCVE AI on April 30, 2026 at 00:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30709 Insertion of Sensitive Information Into Sent Data vulnerability in Ideal Postcodes UK Address Postcode Validation allows Retrieve Embedded Sensitive Data. This issue affects UK Address Postcode Validation: from n/a through 3.9.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description An Insertion of Sensitive Information into Sent Data vulnerability in the Ideal Postcodes UK Address Postcode Validation WordPress plugin exposes the API key, allowing unauthorized third parties to retrieve and reuse the key across any domain. Since API keys are unrestricted by default, with the “Allowed URLs” field left empty upon creation of API key this can lead to unauthorized use and depletion of API credits.Note: the vulnerability is assessed based on the default configuration.This issue affects UK Address Postcode Validation: from n/a through 3.9.2. Insertion of Sensitive Information Into Sent Data vulnerability in Ideal Postcodes UK Address Postcode Validation uk-address-postcode-validation allows Retrieve Embedded Sensitive Data.This issue affects UK Address Postcode Validation: from n/a through <= 3.9.2.
Title WordPress UK Address Postcode Validation Plugin <= 3.9.2 - Sensitive Data Exposure Vulnerability WordPress UK Address Postcode Validation plugin <= 3.9.2 - Sensitive Data Exposure vulnerability
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Fri, 24 Oct 2025 16:30:00 +0000

Type Values Removed Values Added
References

Fri, 24 Oct 2025 15:30:00 +0000

Type Values Removed Values Added
Description An Insertion of Sensitive Information into Sent Data vulnerability in the Ideal Postcodes UK Address Postcode Validation WordPress plugin exposes the API key, allowing unauthorized third parties to retrieve and reuse the key across any domain. Since API keys are unrestricted by default, with the “Allowed URLs” field left empty upon creation of API key this can lead to unauthorized use and depletion of API credits. Note: the vulnerability is assessed based on the default configuration. This issue affects UK Address Postcode Validation: from n/a through 3.9.2. An Insertion of Sensitive Information into Sent Data vulnerability in the Ideal Postcodes UK Address Postcode Validation WordPress plugin exposes the API key, allowing unauthorized third parties to retrieve and reuse the key across any domain. Since API keys are unrestricted by default, with the “Allowed URLs” field left empty upon creation of API key this can lead to unauthorized use and depletion of API credits.Note: the vulnerability is assessed based on the default configuration.This issue affects UK Address Postcode Validation: from n/a through 3.9.2.

Fri, 24 Oct 2025 04:00:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information Into Sent Data vulnerability in Ideal Postcodes UK Address Postcode Validation allows Retrieve Embedded Sensitive Data. This issue affects UK Address Postcode Validation: from n/a through 3.9.2. An Insertion of Sensitive Information into Sent Data vulnerability in the Ideal Postcodes UK Address Postcode Validation WordPress plugin exposes the API key, allowing unauthorized third parties to retrieve and reuse the key across any domain. Since API keys are unrestricted by default, with the “Allowed URLs” field left empty upon creation of API key this can lead to unauthorized use and depletion of API credits. Note: the vulnerability is assessed based on the default configuration. This issue affects UK Address Postcode Validation: from n/a through 3.9.2.
References

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 23 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information Into Sent Data vulnerability in Ideal Postcodes UK Address Postcode Validation allows Retrieve Embedded Sensitive Data. This issue affects UK Address Postcode Validation: from n/a through 3.9.2.
Title WordPress UK Address Postcode Validation Plugin <= 3.9.2 - Sensitive Data Exposure Vulnerability
Weaknesses CWE-201
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:38.528Z

Reserved: 2025-08-22T11:36:12.721Z

Link: CVE-2025-57923

cve-icon Vulnrichment

Updated: 2025-09-23T14:12:08.704Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:15:49.183

Modified: 2026-04-23T15:33:02.370

Link: CVE-2025-57923

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T00:45:24Z

Weaknesses
  • CWE-201

    Insertion of Sensitive Information Into Sent Data