Description
Insertion of Sensitive Information Into Sent Data vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Retrieve Embedded Sensitive Data.This issue affects Sunshine Photo Cart: from n/a through < 3.6.2.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure
Action: Apply Patch
AI Analysis

Impact

WordPress users running the Sunshine Photo Cart plugin before version 3.6.2 may experience a privacy breach. The plugin’s code inserts sensitive information into responses that are sent to the client, allowing anyone who can invoke the vulnerable functionality to retrieve confidential data such as private images, transaction details, or customer credentials. The flaw is a classic Injection of Sensitive Information into Sent Data (CWE‑201) vulnerability, where data that should not be exposed is inadvertently included in the output.

Affected Systems

All WordPress installations that have not updated the Sunshine Photo Cart plugin to at least version 3.6.2 are affected. This includes every release from the plugin's initial launch up through any version older than 3.6.2, meaning that any site using the plugin without the patch is potentially compromised.

Risk and Exploitability

The CVSS score of 5.3 classifies the issue as moderate, and the EPSS score of less than 1 % indicates a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, so no widespread attacks are currently known. The likely attack vector is sending crafted HTTP requests to the plugin's exposed endpoints or simply viewing publicly available pages; authentication is not required to access the sensitive data as the plugin emits it in regular responses.

Generated by OpenCVE AI on April 14, 2026 at 21:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Sunshine Photo Cart plugin version 3.6.2 or higher.
  • If an upgrade cannot be performed immediately, limit access to the plugin’s pages that expose sensitive data, for example by restricting them to authenticated users or using role‑based permissions.
  • Verify that publicly accessible pages no longer contain sensitive data by manually inspecting the site or using automated security scanning tools.

Generated by OpenCVE AI on April 14, 2026 at 21:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Sunshinephotocart
Sunshinephotocart sunshine Photo Cart
Wordpress
Wordpress wordpress
Vendors & Products Sunshinephotocart
Sunshinephotocart sunshine Photo Cart
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information Into Sent Data vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Retrieve Embedded Sensitive Data.This issue affects Sunshine Photo Cart: from n/a through < 3.6.2.
Title WordPress Sunshine Photo Cart plugin < 3.6.2 - Sensitive Data Exposure vulnerability
Weaknesses CWE-201
References

Subscriptions

Sunshinephotocart Sunshine Photo Cart
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:02.141Z

Reserved: 2026-04-07T10:48:32.434Z

Link: CVE-2026-39564

cve-icon Vulnrichment

Updated: 2026-04-14T18:13:24.673Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:27.637

Modified: 2026-04-24T18:07:25.343

Link: CVE-2026-39564

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:15:11Z

Weaknesses