The vulnerability, classified as CWE-201, occurs when the WP AI CoPilot plugin for WordPress inserts sensitive information into data that is sent to users. This allows attackers to retrieve embedded credentials, tokens, or other confidential data, leading to a breach of confidentiality for any information exposed through the plugin interfaces.

WordPress sites that have the WP AI CoPilot plugin from the earliest supported release up to version 1.2.7, as distributed by WP Messiah.

The CVSS score of 5 indicates moderate severity, but the EPSS score reported as less than 1% suggests low current exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. Although the CVE description does not specify the exact attack vector, it is likely that an attacker can trigger the data leakage by interacting with the plugin’s exposed endpoints or through user requests that invoke the plugin’s functionality. Because the plugin processes user inputs, an unauthenticated or low‑privilege attacker who can send requests to the site may be able to exploit the flaw. Continuous monitoring and prompt application of the latest plugin update are recommended to mitigate the risk.