The SUMO Affiliates Pro WordPress plugin contains a flaw that enables the retrieval of embedded sensitive data. This results in the exposure of system information to users who are not authorized to view it, classified as CWE‑497 (Inadequate Verification of Data in Excessive Outputs). The CVSS score of 4.3 indicates a moderate severity, but the leakage can provide attackers with details about the site’s configuration or affiliate data without compromising overall system control.

The affected product is FantasticPlugins’ SUMO Affiliates Pro plugin. All releases from the earliest available version up to and including 11.0.0 are impacted. Every instance of the plugin installed on a WordPress site within this version range is susceptible.

The EPSS score of less than 1% suggests a low probability of exploitation in the wild, and the vulnerability is not listed in CISA KEV. Based on the description, it is inferred that an attacker would need to interact with the plugin’s administrative interface or an exposed endpoint to trigger the data retrieval pathway; this may require authenticated or unauthenticated access depending on the site’s configuration. The impact is limited to the disclosure of sensitive data and does not allow full system compromise.