Description
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Designinvento DirectoryPress directorypress allows Retrieve Embedded Sensitive Data.This issue affects DirectoryPress: from n/a through <= 3.6.26.
Published: 2026-04-08
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability located in Designinvento DirectoryPress plugin versions up to 3.6.26 allows the exposure of sensitive system information to an unauthorized control sphere. An attacker can retrieve embedded sensitive data through the plugin, potentially compromising the confidentiality of the site’s configuration or user data. The weakness is associated with CWE-497, describing information leakage.

Affected Systems

Affected are installations of the Designinvento DirectoryPress WordPress plugin ranging from the earliest available build through version 3.6.26. Any site that has not upgraded the plugin beyond this version and still uses it is at risk.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact on confidentiality, and the EPSS score of less than 1% suggests a low probability of public exploitation at the present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves sending a crafted request to a DirectoryPress endpoint or accessing the plugin’s administrative interface without authentication, thereby triggering the disclosure of sensitive data. While exploitation may be straightforward, the absence of a high exploit likelihood reduces immediate urgency, yet action remains recommended to prevent potential data breaches.

Generated by OpenCVE AI on April 29, 2026 at 11:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest DirectoryPress plugin version (3.6.27 or later) if available
  • If a patch is not yet released, temporarily disable or remove the plugin until an update is applied
  • Restrict access to the plugin’s administrative pages to trusted administrators only
  • Monitor the site for suspicious requests attempting to access plugin functionality

Generated by OpenCVE AI on April 29, 2026 at 11:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Tue, 14 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Designinvento
Designinvento directorypress
Wordpress
Wordpress wordpress
Vendors & Products Designinvento
Designinvento directorypress
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Designinvento DirectoryPress directorypress allows Retrieve Embedded Sensitive Data.This issue affects DirectoryPress: from n/a through <= 3.6.26.
Title WordPress DirectoryPress plugin <= 3.6.26 - Sensitive Data Exposure vulnerability
Weaknesses CWE-497
References

Subscriptions

Designinvento Directorypress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:02.142Z

Reserved: 2026-04-07T10:48:32.434Z

Link: CVE-2026-39566

cve-icon Vulnrichment

Updated: 2026-04-14T18:09:32.926Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:27.943

Modified: 2026-04-29T10:17:28.837

Link: CVE-2026-39566

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T12:00:11Z

Weaknesses