The BlogAdmin v8.0 system exposes administrator account information through the GetInfoByToken API because the API does not enforce strict access controls. A valid session token allows anyone to retrieve sensitive admin credentials, creating a direct path to credential theft and potential subsequent compromise of the entire system. The weakness is a classic improper access control scenario; it does not alter existing data but provides read access to privileged information, thus threatening confidentiality and potentially enabling lateral movement if the credentials are used by an attacker.

The vulnerability is present in the anjoy8 BlogAdmin application version 8.0 and all earlier releases. Users running these versions are susceptible because the GetInfoByToken endpoint does not restrict access to authenticated administrators only. No other vendor or product variants were identified in the available data.

The CVSS score of 7.5 classifies the flaw as high severity, indicating that once an attacker obtains a token, the impact is significant. The EPSS score of less than 1% suggests that community-exploited attacks are currently rare, and the flaw is not listed in the CISA KEV catalog. The likely exploit path requires a valid token, so attackers may need to acquire or forge a token through other vulnerabilities or credential reuse. If a token is available, the exploitation is straightforward and requires no complex steps, which makes the risk higher for impacted installations that expose this API to the public internet.