Description
Insertion of Sensitive Information Into Sent Data vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Retrieve Embedded Sensitive Data.This issue affects RT-Theme 18 | Extensions: from n/a through <= 2.5.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure
Action: Patch
AI Analysis

Impact

The plugin contains an Insertion of Sensitive Information Into Sent Data vulnerability that allows attackers to retrieve embedded sensitive data, leading to a breach of confidentiality. This weakness aligns with CWE-201 and can expose user information through the plugin’s output.

Affected Systems

The vulnerability affects WordPress sites that utilize the RT-Theme 18 | Extensions plugin from any unreleased version up to and including 2.5. All users of this plugin should review their deployment and ensure the plugin is updated to a patched release.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, while the EPSS score of less than 1% suggests a low probability of spontaneous exploitation. The vulnerability is not listed in the CISA KEV catalog, further indicating limited current exploitation activity. The likely attack vector would involve sending crafted HTTP requests to the plugin’s endpoints, triggering the disclosure of sensitive data. Because the plugin operates within the WordPress environment, sites with publicly accessible endpoints may be exposed without additional authentication or privilege requirements.

Generated by OpenCVE AI on April 13, 2026 at 21:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update rt18-extensions plugin to version 2.6 or newer

Generated by OpenCVE AI on April 13, 2026 at 21:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Stmcan
Stmcan rt-theme 18 | Extensions
Wordpress
Wordpress wordpress
Vendors & Products Stmcan
Stmcan rt-theme 18 | Extensions
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information Into Sent Data vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Retrieve Embedded Sensitive Data.This issue affects RT-Theme 18 | Extensions: from n/a through <= 2.5.
Title WordPress RT-Theme 18 | Extensions plugin <= 2.5 - Sensitive Data Exposure vulnerability
Weaknesses CWE-201
References

Subscriptions

Stmcan Rt-theme 18 | Extensions
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:04.616Z

Reserved: 2026-04-07T10:58:22.476Z

Link: CVE-2026-39711

cve-icon Vulnrichment

Updated: 2026-04-13T18:38:25.743Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:44.010

Modified: 2026-04-24T18:05:09.240

Link: CVE-2026-39711

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:38:19Z

Weaknesses