Description
Insertion of Sensitive Information Into Sent Data vulnerability in Saad Iqbal APIExperts Square for WooCommerce allows Retrieve Embedded Sensitive Data.

This issue affects APIExperts Square for WooCommerce: from n/a through 4.7.3.
Published: 2026-06-25
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability permits the injection of sensitive information into data transmitted by the WordPress APIExperts Square for WooCommerce plugin, enabling an attacker to retrieve embedded sensitive data and thus breach confidentiality. It is identified as CWE‑201 Sensitive Data Exposure and has a CVSS base score of 8.3.

Affected Systems

Any WordPress site that installs the Saad Iqbal APIExperts Square for WooCommerce plugin version 4.7.3 or earlier is affected. No specific WordPress core or PHP version requirements are noted; any site running a vulnerable plugin version is at risk.

Risk and Exploitability

The high CVSS score reflects a serious potential danger. Because the EPSS score is unavailable, the exact likelihood of exploitation cannot be quantified, but the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote via the plugin’s API endpoints, as the weakness involves data sent out by the plugin. Should the exploit be successful, the attacker could read sensitive information that the plugin transmits. The lack of an available EPSS score underscores the need to treat the vulnerability with caution.

Generated by OpenCVE AI on June 25, 2026 at 15:57 UTC.

Remediation

Vendor Solution

Update the WordPress APIExperts Square for WooCommerce Plugin to the latest available version (at least 4.7.4).


OpenCVE Recommended Actions

  • Update the APIExperts Square for WooCommerce plugin to version 4.7.4 or later, which contains the fix.
  • If an immediate update cannot be performed, temporarily disable the plugin or block access to its API endpoints for unauthenticated users.
  • Audit recent data exchanges for signs of exposed sensitive information and rotate any credentials that may have been transmitted in those exchanges.

Generated by OpenCVE AI on June 25, 2026 at 15:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Saad Iqbal
Saad Iqbal apiexperts Square For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Saad Iqbal
Saad Iqbal apiexperts Square For Woocommerce
Wordpress
Wordpress wordpress

Thu, 25 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information Into Sent Data vulnerability in Saad Iqbal APIExperts Square for WooCommerce allows Retrieve Embedded Sensitive Data. This issue affects APIExperts Square for WooCommerce: from n/a through 4.7.3.
Title WordPress APIExperts Square for WooCommerce plugin <= 4.7.3 - Sensitive Data Exposure vulnerability
Weaknesses CWE-201
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L'}


Subscriptions

Saad Iqbal Apiexperts Square For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-25T14:24:59.143Z

Reserved: 2026-06-16T09:22:02.525Z

Link: CVE-2026-54848

cve-icon Vulnrichment

Updated: 2026-06-25T14:24:05.845Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T00:30:17Z

Weaknesses
  • CWE-201

    Insertion of Sensitive Information Into Sent Data