Description
Insertion of Sensitive Information Into Sent Data vulnerability in wpdesk ShopMagic shopmagic-for-woocommerce allows Retrieve Embedded Sensitive Data.This issue affects ShopMagic: from n/a through <= 4.5.6.
Published: 2025-10-22
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a user to trigger the wpdesk ShopMagic plugin to embed sensitive information in data that the plugin sends or records. This can result in confidential data being exposed to external recipients or logs. The weakness is classified as CWE‑201, indicating that sensitive data is handled improperly before transmission or storage.

Affected Systems

All installations of the ShopMagic plugin for WooCommerce with version 4.5.6 or earlier are affected. Site owners should verify the active plugin version and ensure it is not within the vulnerable range.

Risk and Exploitability

The CVSS score of 5.8 indicates medium severity, and the EPSS score of less than 1% suggests that exploitation is currently unlikely. The flaw is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is through normal operation of the plugin, where sensitive data may be transmitted or logged, allowing an attacker to intercept or read that data.

Generated by OpenCVE AI on May 1, 2026 at 06:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest ShopMagic plugin version 4.5.7 or newer to remove the flaw.
  • If an immediate upgrade cannot be performed, disable the ShopMagic plugin or any features that transmit or log sensitive information.
  • Restrict outbound traffic from the WordPress instance to external services such as the Shopify API to limit potential data leakage.

Generated by OpenCVE AI on May 1, 2026 at 06:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information Into Sent Data vulnerability in wpdesk ShopMagic shopmagic-for-woocommerce allows Retrieve Embedded Sensitive Data.This issue affects ShopMagic: from n/a through <= 4.5.6.
Title WordPress ShopMagic plugin <= 4.5.6 - Sensitive Data Exposure vulnerability
Weaknesses CWE-201
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:51:56.611Z

Reserved: 2025-09-17T18:01:03.002Z

Link: CVE-2025-59578

cve-icon Vulnrichment

Updated: 2025-10-22T20:25:52.845Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:56.040

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-59578

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:15:10Z

Weaknesses