Description
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in NerdPress Hubbub Lite social-pug allows Retrieve Embedded Sensitive Data.This issue affects Hubbub Lite: from n/a through <= 1.35.2.
Published: 2025-09-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WordPress Social Pug plugin contains a flaw that allows an unauthorized actor to acquire embedded sensitive system information. The plugin’s handling of certain requests inadvertently reveals details that should be protected, effectively exposing confidential data to an external control sphere. Because the vulnerability is tied to plugin logic rather than a lower-level system deficiency, the attacker does not need to compromise the underlying server‑operating system; gaining access to the plugin’s interfaces is sufficient to exploit this weakness. This flaw is classified as CWE‑497.

Affected Systems

All installations of NerdPress Hubbub Lite Social Pug plugin from the earliest version through 1.35.2 are affected. Any WordPress site that has deployed the plugin in this version range is at risk.

Risk and Exploitability

The CVSS score of 4.3 places the issue in the moderate range, while the EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector involves HTTP requests to the plugin’s endpoint or administrative interface; an attacker with web access to the site can trigger the data exposure, although additional credentials may be required depending on site configuration.

Generated by OpenCVE AI on April 30, 2026 at 06:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Social Pug plugin to version 1.36 or newer, which removes the data‑exposure flaw.
  • If the plugin is no longer needed, uninstall or completely disable it to eliminate the attack surface.
  • Configure the WordPress install and web server to restrict access to the plugin’s administrative pages, ensuring only trusted users can reach the interfaces that previously allowed data retrieval.

Generated by OpenCVE AI on April 30, 2026 at 06:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30620 Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in NerdPress Social Pug allows Retrieve Embedded Sensitive Data. This issue affects Social Pug: from n/a through 1.35.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in NerdPress Social Pug allows Retrieve Embedded Sensitive Data. This issue affects Social Pug: from n/a through 1.35.1. Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in NerdPress Hubbub Lite social-pug allows Retrieve Embedded Sensitive Data.This issue affects Hubbub Lite: from n/a through <= 1.35.2.
Title WordPress Social Pug Plugin <= 1.35.1 - Sensitive Data Exposure Vulnerability WordPress Social Pug Plugin <= 1.35.2 - Sensitive Data Exposure Vulnerability
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Thu, 25 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Nerdpress
Nerdpress social Pug Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Nerdpress
Nerdpress social Pug Wordpress
Wordpress
Wordpress wordpress

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in NerdPress Social Pug allows Retrieve Embedded Sensitive Data. This issue affects Social Pug: from n/a through 1.35.1.
Title WordPress Social Pug Plugin <= 1.35.1 - Sensitive Data Exposure Vulnerability
Weaknesses CWE-497
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Nerdpress Social Pug Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:40.505Z

Reserved: 2025-08-22T11:37:41.965Z

Link: CVE-2025-58007

cve-icon Vulnrichment

Updated: 2025-09-25T13:54:51.204Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:02.153

Modified: 2026-04-23T15:33:13.470

Link: CVE-2025-58007

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T06:45:16Z

Weaknesses