The affected awebooking plugin contains a flaw that causes sensitive information to be inadvertently inserted into data sent to users. This leads to the unintended disclosure of personal or confidential data through normal use of the plugin, potentially compromising user privacy and business integrity. The weakness aligns with CWE‑201, which focuses on the improper segregation and handling of sensitive data.

WordPress sites that use the AweBooking plugin from awethemes, specifically all installations running version 3.2.26 or earlier. The vulnerability origins are not limited to a particular plugin setting, so any instance within that version range is susceptible.

The CVSS score of 6.5 places this flaw in the medium severity category. An attacker would typically need access to the website’s interface or the ability to invoke the plugin’s output, which indicates a local or web‑based attack vector rather than remote code execution. The EPSS score of less than 1% suggests a low but non‑zero probability of exploitation with current publicly available tools. Since it is not listed in CISA’s KEV catalog, there is no evidence of widespread exploitation yet, but the potential for privacy loss makes remediation high priority.