Description
Insertion of Sensitive Information Into Sent Data vulnerability in WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics allows Retrieve Embedded Sensitive Data.This issue affects Advanced WooCommerce Product Sales Reporting: from n/a through <= 4.1.2.
Published: 2026-02-03
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure
Action: Immediate Patch
AI Analysis

Impact

The Advanced WooCommerce Product Sales Reporting plugin contains a flaw that allows sensitive user and transaction details to be embedded in exported data or reports. When a user or attacker accesses the reporting functionality, confidential information such as names, addresses, or credit card numbers can be inadvertently revealed. This issue falls under CWE‑201 and can compromise the confidentiality of customer data.

Affected Systems

The vulnerability exists in the WPFactory‑derived Advanced WooCommerce Product Sales Reporting plugin for WordPress. Affected releases range from the earliest available versions up to and including version 4.1.2. Any site running these plugin versions, regardless of WordPress version, is potentially impacted.

Risk and Exploitability

The CVSS score of 5.3 rates the vulnerability as moderate, and the EPSS score of less than 1% indicates a very low probability of exploitation at present. The issue is not listed in CISA’s KEV catalog. An attacker could exploit the vulnerability by triggering the plugin’s data export or report generation features, which are typically accessed via the WordPress admin interface. Since the vulnerability requires only access to the reporting endpoints, anyone with sufficient site privileges—or a guest who can initiate a report request if the plugin is publicly exposed—could acquire the leaked data.

Generated by OpenCVE AI on April 16, 2026 at 01:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Advanced WooCommerce Product Sales Reporting to version 4.1.3 or later.
  • Restrict access to reporting features so that only authenticated administrators can generate sales reports.
  • Audit recent report exports for any inclusion of sensitive customer information and purge or re‑export as appropriate.

Generated by OpenCVE AI on April 16, 2026 at 01:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpfactory
Wpfactory advanced Woocommerce Product Sales Reporting
Vendors & Products Wordpress
Wordpress wordpress
Wpfactory
Wpfactory advanced Woocommerce Product Sales Reporting

Tue, 03 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 14:30:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information Into Sent Data vulnerability in WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics allows Retrieve Embedded Sensitive Data.This issue affects Advanced WooCommerce Product Sales Reporting: from n/a through <= 4.1.2.
Title WordPress Advanced WooCommerce Product Sales Reporting plugin <= 4.1.2 - Sensitive Data Exposure vulnerability
Weaknesses CWE-201
References

Subscriptions

Wordpress Wordpress
Wpfactory Advanced Woocommerce Product Sales Reporting
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:38.517Z

Reserved: 2026-01-28T09:50:51.017Z

Link: CVE-2026-24992

cve-icon Vulnrichment

Updated: 2026-02-03T17:00:08.275Z

cve-icon NVD

Status : Deferred

Published: 2026-02-03T15:16:18.367

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24992

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T01:30:20Z

Weaknesses