Description
Subscriber Sensitive Data Exposure in WPPizza <= 3.19.9 versions.
Published: 2026-06-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a sensitive data exposure issue in the WordPress WPPizza plugin, allowing an attacker to access subscriber information in versions 3.19.9 and earlier. This weakness falls under CWE‑497, meaning that confidential data is stored or transmitted insecurely. The impact is that unauthorized users could obtain personal data such as names, addresses, phone numbers, and payment details, potentially leading to privacy violations, phishing, or other downstream attacks. No evidence suggests that an attacker can gain code execution or modify site content; the confidentiality of subscriber data is the primary concern.

Affected Systems

The affected product is the WPPizza plugin developed by ollybach. All releases up to and including version 3.19.9 are vulnerable. Users and site administrators should verify that the plugin is not present in these versions to assess risk.

Risk and Exploitability

The CVSS score of 6.5 classifies the vulnerability as a medium severity finding. The EPSS score of less than 1% indicates a very low probability that the vulnerability has been actively exploited at present. The vulnerability is not listed in CISA’s KEV catalog, implying it is not known to be widely abused. The likely attack vector is a web-based request to the plugin’s endpoints or data retrieval pages, but specific exploit details are not provided in the CVE description, so the true ease of exploitation remains uncertain.

Generated by OpenCVE AI on June 16, 2026 at 23:21 UTC.

Remediation

Vendor Solution

Update the WordPress WPPizza Plugin to the latest available version (at least 3.20).

OpenCVE Recommended Actions

  • Update the WordPress WPPizza Plugin to the latest available version (at least 3.20).
  • If an immediate update is not possible, consider disabling or uninstalling the WPPizza plugin until a patch is applied.
  • Restrict access to subscriber data by enabling role‑based permissions or implementing a firewall rule to block direct requests to the plugin’s exposed endpoints.

Generated by OpenCVE AI on June 16, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Subscriber Sensitive Data Exposure in WPPizza <= 3.19.9 versions.
Title WordPress WPPizza plugin <= 3.19.9 - Sensitive Data Exposure vulnerability
Weaknesses CWE-497
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T14:39:35.885Z

Reserved: 2026-04-15T09:20:46.957Z

Link: CVE-2026-40796

cve-icon Vulnrichment

Updated: 2026-06-16T14:39:32.060Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:52.023

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-40796

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T23:30:15Z

Weaknesses
  • CWE-497

    Exposure of Sensitive System Information to an Unauthorized Control Sphere