Description
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in SendPulse SendPulse Email Marketing Newsletter sendpulse-email-marketing-newsletter allows Retrieve Embedded Sensitive Data.This issue affects SendPulse Email Marketing Newsletter: from n/a through <= 2.2.1.
Published: 2025-12-16
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure
Action: Apply Patch
AI Analysis

Impact

The plugin contains a flaw that allows an attacker to gain access to embedded sensitive data. This vulnerability can lead to the disclosure of confidential information that the system stores or uses. The flaw is classified as a Sensitive Data Exposure defect, based on CWE-497, meaning data that should not be exposed is rendered available to users who do not have authorization.

Affected Systems

SendPulse Email Marketing Newsletter plugin for WordPress is affected. Versions from the earliest available version through 2.2.1 are vulnerable. Administrators using any of these versions should check the plugin version and upgrade if possible.

Risk and Exploitability

The CVSS score of 4.3 places the issue in the low‑to‑moderate severity range. The EPSS score is under 1 %, indicating that the likelihood of exploitation is low, and the vulnerability is not listed in CISA's KEV catalog. Exploitation is likely to be possible through web requests to the plugin, meaning that any user who can trigger the plugin's exposed functionality or send crafted requests could retrieve sensitive data.

Generated by OpenCVE AI on April 27, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the SendPulse Email Marketing Newsletter plugin to version 2.2.2 or later.
  • Restrict access to the plugin's configuration pages so that only privileged administrators can view them.
  • Disable any unused features that may expose sensitive information and review the plugin's network traffic for unexpected data exposure.
  • Monitor for anomalous access patterns to the plugin's endpoints and apply additional application‑layer access controls where feasible.

Generated by OpenCVE AI on April 27, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 16 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Dec 2025 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Tue, 16 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Sendpulse
Sendpulse sendpulse Email Marketing Newsletter
Wordpress
Wordpress wordpress
Vendors & Products Sendpulse
Sendpulse sendpulse Email Marketing Newsletter
Wordpress
Wordpress wordpress

Tue, 16 Dec 2025 08:30:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in SendPulse SendPulse Email Marketing Newsletter sendpulse-email-marketing-newsletter allows Retrieve Embedded Sensitive Data.This issue affects SendPulse Email Marketing Newsletter: from n/a through <= 2.2.1.
Title WordPress SendPulse Email Marketing Newsletter plugin <= 2.2.1 - Sensitive Data Exposure vulnerability
Weaknesses CWE-497
References

Subscriptions

Sendpulse Sendpulse Email Marketing Newsletter
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:28:01.541Z

Reserved: 2025-12-15T10:00:06.385Z

Link: CVE-2025-67948

cve-icon Vulnrichment

Updated: 2025-12-16T17:21:22.006Z

cve-icon NVD

Status : Deferred

Published: 2025-12-16T09:15:59.447

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-67948

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T22:30:14Z

Weaknesses