Description
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPSwings WooCommerce Ultimate Points And Rewards woocommerce-ultimate-points-and-rewards allows Retrieve Embedded Sensitive Data.This issue affects WooCommerce Ultimate Points And Rewards: from n/a through <= 2.10.2.
Published: 2025-11-13
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the WooCommerce Ultimate Points And Rewards plugin allows an unauthorized user to retrieve embedded sensitive system information. The flaw stems from improper handling of data stored by the plugin, leading to a data disclosure that is classified as CWE-497. While the plugin functions normally, this weakness can expose user or system data to unauthenticated actors.

Affected Systems

Affected systems are sites using the WPSwings WooCommerce Ultimate Points And Rewards plugin with versions n/a through 2.10.2. No later releases have been confirmed to contain the issue.

Risk and Exploitability

The CVSS score of 4.3 indicates a low‑to‑moderate impact, and the EPSS score of less than 1% suggests exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog, and no obvious public exploitation has been reported. The likely attack vector is via an exposed plugin endpoint that can be accessed by users without authentication, allowing them to retrieve sensitive data. Because no patch is currently available, administrators should monitor for official updates and treat exposed data as potentially compromised.

Generated by OpenCVE AI on April 29, 2026 at 20:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WooCommerce Ultimate Points And Rewards plugin to a version newer than 2.10.2 once it becomes available.
  • If an update cannot be applied immediately, disable the plugin to prevent the exposure of sensitive data.
  • If the plugin’s functionality is required, restrict its usage to trusted users and consider auditing the plugin configuration to ensure no sensitive data is stored or exposed.

Generated by OpenCVE AI on April 29, 2026 at 20:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 13 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Wpswings
Wpswings ultimate Points And Rewards
Vendors & Products Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Wpswings
Wpswings ultimate Points And Rewards

Thu, 13 Nov 2025 09:45:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPSwings WooCommerce Ultimate Points And Rewards woocommerce-ultimate-points-and-rewards allows Retrieve Embedded Sensitive Data.This issue affects WooCommerce Ultimate Points And Rewards: from n/a through <= 2.10.2.
Title WordPress WooCommerce Ultimate Points And Rewards plugin <= 2.10.2 - Sensitive Data Exposure vulnerability
Weaknesses CWE-497
References

Subscriptions

Woocommerce Woocommerce
Wordpress Wordpress
Wpswings Ultimate Points And Rewards
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:12.918Z

Reserved: 2025-10-29T03:08:22.609Z

Link: CVE-2025-64267

cve-icon Vulnrichment

Updated: 2025-11-13T17:56:05.794Z

cve-icon NVD

Status : Deferred

Published: 2025-11-13T10:15:52.100

Modified: 2026-04-27T16:16:39.027

Link: CVE-2025-64267

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T20:15:19Z

Weaknesses