Description
Unauthenticated Sensitive Data Exposure in Vitepos <= 3.4.2 versions.
Published: 2026-06-25
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to obtain sensitive information without authentication. Classified as CWE-201, this flaw resides in Vitepos versions up to 3.4.2, enabling exposure of customer and transaction data that should be protected. The main consequence is loss of confidentiality, potentially compromising customer privacy and violating data protection regulations.

Affected Systems

WordPress sites that have the Vitepos plugin installed with a version older than 3.4.3, as distributed by the vendor Appsbd. Any WordPress installation using Vitepos <= 3.4.2 is at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity vulnerability. EPSS data is not available, and the issue is not listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation yet. The likely attack vector is unauthenticated access to plugin endpoints or configuration pages, which an attacker can use to retrieve exposed data. No additional prerequisites are stated, so the vulnerability can potentially be exploited by any internet‑connected user.

Generated by OpenCVE AI on June 25, 2026 at 16:20 UTC.

Remediation

Vendor Solution

Update the WordPress Vitepos Plugin to the latest available version (at least 3.4.3).

OpenCVE Recommended Actions

  • Apply the latest Vitepos plugin update, at least 3.4.3, to eliminate the flaw and address the underlying CWE‑201 data exposure issue.
  • If an immediate update is not possible, disable or uninstall the Vitepos plugin to prevent unauthenticated data access.
  • Monitor web server logs for signs of unauthenticated requests to plugin paths and block suspicious IP addresses if needed, ensuring that access patterns do not indicate exploitation of the CWE‑201 vulnerability.

Generated by OpenCVE AI on June 25, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Appsbd
Appsbd vitepos
Wordpress
Wordpress wordpress
Vendors & Products Appsbd
Appsbd vitepos
Wordpress
Wordpress wordpress

Thu, 25 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Sensitive Data Exposure in Vitepos <= 3.4.2 versions.
Title WordPress Vitepos plugin <= 3.4.2 - Sensitive Data Exposure vulnerability
Weaknesses CWE-201
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Appsbd Vitepos
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-25T14:51:25.429Z

Reserved: 2026-06-16T09:21:57.269Z

Link: CVE-2026-54841

cve-icon Vulnrichment

Updated: 2026-06-25T14:51:23.124Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T22:30:15Z

Weaknesses
  • CWE-201

    Insertion of Sensitive Information Into Sent Data