Description
Insertion of Sensitive Information Into Sent Data vulnerability in publitio Publitio publitio allows Retrieve Embedded Sensitive Data.This issue affects Publitio: from n/a through <= 2.2.5.
Published: 2025-10-27
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to insert sensitive information into data transmitted by the Publitio plugin, enabling the attacker to retrieve hidden secrets such as API keys or credentials. This results in leakage of confidential data that could facilitate further compromise. The weakness is identified as CWE‑201, insertion of sensitive information into sent data. The impact is a loss of confidentiality for any data managed by the plugin, without directly affecting availability or integrity.

Affected Systems

Any WordPress site using the Publitio plugin version 2.2.5 or older is affected. This includes all installations of the plugin whose active version is not a more recent release. Site owners should verify the plugin version and confirm whether updates or changes to the component have been applied.

Risk and Exploitability

The CVSS score is 5.0, indicating medium severity. The EPSS score is less than 1%, reflecting a very low current exploitation probability. It is not listed in the CISA KEV catalog. The likely attack vector is via normal web requests to the plugin’s endpoints, as the flaw is inherent to the plugin’s routine operation. An attacker would need network access to the affected WordPress installation but no special privileges are required. Overall, the risk is moderate with limited evidence of active exploitation.

Generated by OpenCVE AI on April 29, 2026 at 23:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Publitio plugin to version 2.2.6 or later, which removes the data exposure flaw.
  • If an update is not immediately possible, disable the Publitio plugin to prevent data leakage until a patch is applied.
  • Audit configuration files for embedded credentials and remove or encrypt any hard‑coded sensitive data used by the plugin.

Generated by OpenCVE AI on April 29, 2026 at 23:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information Into Sent Data vulnerability in publitio Publitio publitio allows Retrieve Embedded Sensitive Data.This issue affects Publitio: from n/a through <= 2.2.3. Insertion of Sensitive Information Into Sent Data vulnerability in publitio Publitio publitio allows Retrieve Embedded Sensitive Data.This issue affects Publitio: from n/a through <= 2.2.5.
Title WordPress Publitio plugin <= 2.2.3 - Sensitive Data Exposure vulnerability WordPress Publitio plugin <= 2.2.5 - Sensitive Data Exposure vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 02:00:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information Into Sent Data vulnerability in publitio Publitio publitio allows Retrieve Embedded Sensitive Data.This issue affects Publitio: from n/a through <= 2.2.3.
Title WordPress Publitio plugin <= 2.2.3 - Sensitive Data Exposure vulnerability
Weaknesses CWE-201
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:06.820Z

Reserved: 2025-10-24T14:24:48.654Z

Link: CVE-2025-62947

cve-icon Vulnrichment

Updated: 2025-10-27T15:10:46.059Z

cve-icon NVD

Status : Deferred

Published: 2025-10-27T02:15:55.013

Modified: 2026-04-27T17:16:37.230

Link: CVE-2025-62947

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T23:30:22Z

Weaknesses
  • CWE-201

    Insertion of Sensitive Information Into Sent Data