The RadiusTheme Classified Listing plugin suffers from a CWE-201 flaw that allows an attacker to retrieve sensitive data embedded in the plugin’s responses. The vulnerability arises from the plugin’s data handling process, which fails to properly conceal confidential information. It is inferred that no additional privileges are required because the description does not mention authentication or elevation, and the data can be accessed through normal plugin functionality. The impact is the disclosure of sensitive information, compromising confidentiality and potentially enabling further exploitation.

All installations of RadiusTheme's Classified Listing plugin from its earliest release up through version 5.3.4 are affected. Users should verify whether their WordPress site contains this plugin and check the installed version number to assess exposure.

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a very low probability of exploitation presently. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, which means no confirmed public exploits exist. The likely attack vector is HTTP requests aimed at the plugin’s exposed endpoints, a vector that appears to be remote and available to unauthenticated users; this inference is drawn from the nature of the data exposure described. The lack of reported exploits and the low EPSS score imply that the risk remains primarily theoretical, yet remediation is recommended to eliminate the potential data leakage.