The vulnerability is in the WordPress Ultimate Member Widgets for Elementor plugin, affecting versions through 2.3. The plugin inadvertently inserts sensitive information into the data it sends to a client when the widget is rendered. This allows an attacker to retrieve embedded confidential data, resulting in unauthorized disclosure. The weakness is a classic Sensitive Data Exposure, identified as CWE-201. No evidence in the description indicates that the flaw impacts integrity or availability, so the primary risk is confidentiality loss.

UserElements Ultimate Member Widgets for Elementor is the affected product. All WordPress sites installing this plugin at version 2.3 or earlier are vulnerable, regardless of other WordPress components. No other vendors or products are listed.

The CVSS score of 7.5 shows high severity, while the EPSS score of less than 1 % indicates a low current probability of exploitation, and it is not yet in the CISA KEV catalog. The likely attack vector is via the plugin’s exposed endpoints or rendered front‑end widgets, as the flaw allows data to be sent to a user without proper filtering. An attacker who can view the rendered widget can capture the sensitive information. The impact remains confined to confidentiality, with no evidence of privilege escalation or denial of service.