Description
Insertion of Sensitive Information Into Sent Data vulnerability in AA Web Servant 12 Step Meeting List 12-step-meeting-list allows Retrieve Embedded Sensitive Data.This issue affects 12 Step Meeting List: from n/a through <= 3.19.9.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure
Action: Patch
AI Analysis

Impact

The 12 Step Meeting List plugin for WordPress contains a flaw that causes sensitive information to be unknowingly included in data that the plugin transmits or exposes to external entities. This can allow attackers to retrieve confidential data that should remain private. The vulnerability corresponds to CWE-201, indicating information exposure to an unauthorized actor. The potential damage includes the disclosure of personal or meeting details that could compromise confidentiality.

Affected Systems

The problem affects the AA Web Servant 12 Step Meeting List WordPress plugin, versions up to and including 3.19.9. Any WordPress site that has installed the plugin and has not applied a later update is at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity, and the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The plugin is web‑based, so the attack vector is likely remote via HTTP requests, allowing attackers to trigger the problematic functionality from outside the site. No additional prerequisites are stated beyond the plugin being active on a publicly reachable WordPress installation.

Generated by OpenCVE AI on April 14, 2026 at 20:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the 12 Step Meeting List plugin to version 3.20 or later to eliminate the data exposure flaw.
  • If an immediate upgrade is not possible, temporarily disable the plugin or remove any functionality that transmits sensitive data outside the site.
  • Verify that returned data from the plugin’s endpoints no longer contains sensitive information and monitor site logs for any suspicious access attempts.

Generated by OpenCVE AI on April 14, 2026 at 20:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Aa Web Servant
Aa Web Servant 12 Step Meeting List
Wordpress
Wordpress wordpress
Vendors & Products Aa Web Servant
Aa Web Servant 12 Step Meeting List
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information Into Sent Data vulnerability in AA Web Servant 12 Step Meeting List 12-step-meeting-list allows Retrieve Embedded Sensitive Data.This issue affects 12 Step Meeting List: from n/a through <= 3.19.9.
Title WordPress 12 Step Meeting List plugin <= 3.19.9 - Sensitive Data Exposure vulnerability
Weaknesses CWE-201
References

Subscriptions

Aa Web Servant 12 Step Meeting List
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:02.117Z

Reserved: 2026-04-07T10:48:32.434Z

Link: CVE-2026-39570

cve-icon Vulnrichment

Updated: 2026-04-14T18:04:56.749Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:28.220

Modified: 2026-04-24T18:07:25.343

Link: CVE-2026-39570

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:15:11Z

Weaknesses