The RadiusTheme ShopBuilder – Elementor WooCommerce Builder Addons plugin (versions <= 3.2.4) contains a flaw that enables retrieval of embedded sensitive system information, allowing attackers to expose confidential data within a WordPress site. Key detail from vendor description: the plugin can expose sensitive system information to an unauthorized control sphere, categorized as CWE-497. This vulnerability compromises confidentiality by exposing embedded sensitive data to anyone who can trigger the flaw.

Affected systems are WordPress installations that include the RadiusTheme ShopBuilder – Elementor WooCommerce Builder Addons plugin from its initial release through version 3.2.4, as specified by vendor documentation. Any site using these versions is susceptible to the data exposure if the plugin is active. Key detail from vendor documentation: all releases from n/a through <= 3.2.4 are affected.

The severity rating per CVSS is 5.3, indicating moderate difficulty in exploitation, while the EPSS score is less than 1%, suggesting a low likelihood of real-world exploitation. Key detail from scoring data: the vulnerability is not listed in the CISA KEV catalog. The description does not explicitly state an authentication requirement, so based on the description it is inferred that an attacker could potentially exploit the flaw via publicly accessible plugin endpoints or through administrative access to the WordPress backend, exposing confidential information.