Insertion of Sensitive Information Into Sent Data in the Blockspare plugin allows an attacker to retrieve embedded sensitive data that should not be transmitted. This vulnerability could expose credentials, personal information, or other confidential data that the plugin includes in its output, leading to confidentiality compromise. The weakness is classified as CWE‑201, indicating a failure to protect or conceal sensitive data.

WordPress sites that have the Blockspare plugin (CNA vendor Blockspare) installed at any version up to and including 3.2.13.2 are affected. The vulnerability applies to all releases of the plugin from its initial version through 3.2.13.2. Therefore, any WordPress installation using the Blockspare blockspare plugin in these versions may expose sensitive data.

The CVSS score of 4.3 indicates a moderate severity, primarily affecting confidentiality. The EPSS score of less than 1% suggests a low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog, implying limited known usage by threat actors. Likely, the attack vector involves any user who can trigger the Blockspare output, such as an unauthenticated visitor or local user, forcing the plugin to render data that includes hidden sensitive values. An attacker could then capture the response and extract the embedded credentials or personal information. The limited exploitation probability reduces urgency, but the confidentiality impact warrants a timely patch.