CVE-2025-60119 - Vulnerability Details

- WordPress CoSchedule Plugin <= 3.3.11 - Sensitive Data Exposure Vulnerability

Description

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in CoSchedule CoSchedule coschedule-by-todaymade allows Retrieve Embedded Sensitive Data.This issue affects CoSchedule: from n/a through <= 3.3.11.

Published: 2025-09-26

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability in CoSchedule plugin for WordPress allows sensitive information to be exposed to an unauthorized control sphere. The flaw enables retrieval of embedded sensitive data and is classified under CWE-497, representing a failure to restrict access to authenticated users. An attacker who can exploit the exposure may learn confidential system details, potentially aiding further attacks.

Affected Systems

This affects all versions of the CoSchedule plugin up to and including 3.3.11 on WordPress installations. The vulnerability applies to every instance of CoSchedule from the earliest release through version 3.3.11.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate overall risk, and the EPSS score of less than 1% suggests that exploitation is unlikely but possible. The vulnerability is not listed in CISA's KEV catalog. Because the description does not specify the exact attack vector, it is inferred that the data retrieval may be possible from the plugin's administrative interface or via requests that an unauthenticated or authenticated user with plugin access can trigger.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

CoSchedule

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.3.11

No data.

Vendor	Product	Confidence	Versions
Coschedule	Coschedule	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the CoSchedule plugin to version 3.3.12 or later
If an upgrade is not feasible, disable or remove the plugin entirely
Restrict WordPress administrator and editor permissions and review user roles to reduce exposure

Generated by OpenCVE AI on April 30, 2026 at 00:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-31280	Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in CoSchedule CoSchedule allows Retrieve Embedded Sensitive Data. This issue affects CoSchedule: from n/a through 3.3.10.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00041.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/coschedule-by-todaymade/vulnerability/wordpress-coschedule-plugin-3-3-10-sensitive-data-exposure-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in CoSchedule CoSchedule allows Retrieve Embedded Sensitive Data. This issue affects CoSchedule: from n/a through 3.3.10.	Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in CoSchedule CoSchedule coschedule-by-todaymade allows Retrieve Embedded Sensitive Data.This issue affects CoSchedule: from n/a through <= 3.3.11.
Title	WordPress CoSchedule Plugin <= 3.3.10 - Sensitive Data Exposure Vulnerability	WordPress CoSchedule Plugin <= 3.3.11 - Sensitive Data Exposure Vulnerability
References	https://patchstack.com/database/wordpress/plugin/coschedule-by-todaymade/vulnerability/wordpress-coschedule-plugin-3-3-10-sensitive-data-exposure-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/coschedule-by-todaymade/vulnerability/wordpress-coschedule-plugin-3-3-10-sensitive-data-exposure-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Mon, 29 Sep 2025 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Coschedule Coschedule coschedule Wordpress Wordpress wordpress
Vendors & Products		Coschedule Coschedule coschedule Wordpress Wordpress wordpress

Fri, 26 Sep 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 26 Sep 2025 08:45:00 +0000

Type	Values Removed	Values Added
Description		Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in CoSchedule CoSchedule allows Retrieve Embedded Sensitive Data. This issue affects CoSchedule: from n/a through 3.3.10.
Title		WordPress CoSchedule Plugin <= 3.3.10 - Sensitive Data Exposure Vulnerability
Weaknesses		CWE-497
References		https://patchstack.com/database/wordpress/plugin/coschedule-by-todaymade/vulnerability/wordpress-coschedule-plugin-3-3-10-sensitive-data-exposure-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Coschedule Coschedule

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-09-26T08:31:36.353Z

Updated: 2026-04-28T16:13:55.166Z

Reserved: 2025-09-25T15:20:29.869Z

Link: CVE-2025-60119

Vulnrichment

Updated: 2025-09-26T13:12:22.071Z

NVD

Status : Deferred

Published: 2025-09-26T09:15:38.857

Modified: 2026-04-23T15:34:15.323

Link: CVE-2025-60119

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-30T00:15:23Z

Weaknesses

CWE-497

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object