The vulnerability arises from insertion of sensitive information into sent data, allowing an attacker to retrieve embedded sensitive data from the Terms Descriptions plugin. The flaw is classified as CWE-201, meaning an application may inadvertently expose confidential information. An attacker who can trigger the plugin’s data handling routines could gain access to information that should remain hidden, affecting the confidentiality of data stored or displayed by the plugin.

Affected systems are those running Vladimir Statsenko’s Terms Descriptions plugin on WordPress. Versions up through 3.4.10 (inclusive) are impacted; newer versions are not listed as vulnerable. Administrators should verify the exact version being used and apply the latest patch when available.

The CVSS score of 5.3 indicates a moderate severity, and the EPSS score of less than 1% points to a very low likelihood of exploitation at the present time. The vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is through the plugin’s exposed endpoints or administrative interface, where crafted input can trigger the leakage of sensitive data. No specific environmental prerequisites are detailed in the advisory, but the existence of the plugin itself is required.