Description
Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data.This issue affects Templately: from n/a through 3.6.1.
Published: 2026-04-27
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive data exposure (confidentiality compromise)
Action: Patch Update
AI Analysis

Impact

A flaw in the WordPress Templately plugin allows the insertion of sensitive information into data that is transmitted back to the requester. The vulnerability is classified as CWE‑201 and permits an attacker to retrieve embedded sensitive data, thus exposing confidential information that should not be publicly available.

Affected Systems

The issue affects the WPDeveloper Templately plugin for WordPress, introducing the vulnerability in all releases up through and including version 3.6.1. Sites running any of these versions are at risk, regardless of the number of users or the level of access granted to the plugin.

Risk and Exploitability

The CVSS score of 7.7 describes a high severity data confidentiality impact. The EPSS score of less than one percent implies a low likelihood of current exploitation, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a request to the plugin’s endpoint or API that inadvertently returns sensitive data, potentially exploitable by anyone who can invoke that route. The threat primarily endangers data confidentiality rather than system integrity or availability.

Generated by OpenCVE AI on April 28, 2026 at 04:41 UTC.

Remediation

Vendor Solution

Update the WordPress Templately Plugin to the latest available version (at least 3.6.2).

OpenCVE Recommended Actions

  • Upgrade the WordPress Templately plugin to version 3.6.2 or newer to remove the data exposure flaw
  • Restrict or disable the plugin on sites where an update cannot be applied promptly, limiting the exposure surface
  • Conduct a review of content that may have been exposed through the vulnerable plugin and remove or secure any sensitive information that was inadvertently leaked

Generated by OpenCVE AI on April 28, 2026 at 04:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpdevteam
Wpdevteam templately
Vendors & Products Wordpress
Wordpress wordpress
Wpdevteam
Wpdevteam templately

Mon, 27 Apr 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data.This issue affects Templately: from n/a through 3.6.1.
Title WordPress Templately plugin <= 3.6.1 - Sensitive Data Exposure vulnerability
Weaknesses CWE-201
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
Wpdevteam Templately
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-27T10:31:24.329Z

Reserved: 2026-04-27T08:22:05.095Z

Link: CVE-2026-42379

cve-icon Vulnrichment

Updated: 2026-04-27T10:31:13.969Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T09:16:02.043

Modified: 2026-04-27T18:37:59.213

Link: CVE-2026-42379

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T08:30:13Z

Weaknesses