The Eight Day Week Print Workflow plugin in WordPress, versions up to 1.2.5, contains a flaw (CWE‑497) that lets an unauthorized party retrieve sensitive system information embedded in the plugin. The vulnerability arises because the plugin’s data retrieval functionality does not enforce proper access control, permitting any user who can invoke the relevant API or administrative action to expose confidential details that should be restricted to privileged users. This can compromise the confidentiality of the web application and any data stored in the WordPress database.

Any WordPress site that installs the 10up Eight Day Week Print Workflow plugin version 1.2.5 or earlier is affected. Site administrators who have not upgraded beyond 1.2.5 or disabled the plugin remain exposed to this information leakage.

The CVSS score of 4.3 classifies the issue as moderate. The EPSS score of less than 1% indicates a very low probability of exploitation in reality, and the vulnerability is not listed in the CISA KEV catalog, reducing the chance of an active exploit. Based on the description, the likely attack vector involves unauthenticated or minimally privileged access to a plugin endpoint that retrieves sensitive data, potentially through the WordPress admin interface or a REST API endpoint. No exploit steps have been disclosed, but any exposed end point that can trigger the data retrieval function could be queried by an attacker to read the sensitive data.