The vulnerability exists in the E‑Invoice App Malaysia WordPress plugin up to version 1.3.0, allowing an attacker to retrieve embedded sensitive system information. The flaw is an indirect data exposure weakness (CWE‑497) that could let an unauthorized user gain access to confidential information that should be restricted to privileged roles. The potential impact is the compromise of data confidentiality, as the exposed information may include internal identifiers, configuration details, or personal data related to invoicing processes.

Affected systems are installations of the WordPress plugin E‑Invoice App Malaysia released by o2oe, specifically versions from the earliest available release through 1.3.0. Users running any version of the plugin in that range are at risk. The description does not enumerate additional sub‑versions or granular release dates beyond the <= 1.3.0 cutoff.

The CVSS score of 5.3 indicates moderate severity. The EPSS score is reported as less than 1%, suggesting a very low probability that the vulnerability is actively exploited in the wild, and it is not listed in the CISA KEV catalog. Nevertheless, the vulnerability can be triggered by any user with access to the plugin’s administrative interface, or potentially by a publicly reachable endpoint if the plugin exposes data via HTTP. While the exact attack vector is not detailed, it is inferred that unauthorized access is possible through the plugin’s backend or exposed API. The risk remains significant for environments that process sensitive invoicing data.