A vulnerability in the Masteriyo - LMS WordPress plugin allows an attacker to retrieve embedded sensitive data that is not intended for public disclosure. The issue arises from improper handling or storage of system information, enabling access to data that may include configuration details or personal user data. The nature of the flaw aligns with CWE-497, indicating that sensitive data is retained in a readable form. The potential impact is a compromise of confidentiality, exposing information that could aid further attacks or lead to privacy violations.

The flaw affects the Masteriyo - LMS learning‑management system plugin for WordPress, specifically all versions through 2.0.3 inclusive. Administrators should verify if their installation falls within this range and review the plugin version details in the WordPress admin dashboard.

The CVSS score of 6.5 indicates a moderate severity vulnerability. The EPSS score is reported as less than 1%, suggesting a very low probability of exploitation in the wild at the time of this assessment. It is not listed in the CISA KEV catalog, meaning there is no publicly known, ongoing exploit. The likely attack vector involves a vulnerable WordPress site where an attacker can use the plugin’s exposed endpoint or administrative interface to request the sensitive data. No additional conditions such as authentication are explicitly documented in the description, so the exploit could be reachable to unauthenticated users if the endpoint is publicly accessible.