Description
Unauthenticated Sensitive Data Exposure in Kit (formerly ConvertKit) for WooCommerce <= 2.1.5 versions.
Published: 2026-07-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated users can retrieve confidential data stored or managed by the Kit plugin when it runs under WordPress with WooCommerce in versions up to 2.1.5. The vulnerability is tied to CWE‑497, meaning the plugin fails to properly safeguard data before making it available to unauthenticated parties. This flaw can expose personal information, transaction details, or other sensitive content to anyone who can reach the vulnerable interfaces, thereby compromising confidentiality.

Affected Systems

WordPress installations that use the Nathanbarry:Kit (formerly ConvertKit) for WooCommerce plugin with a version of 2.1.5 or earlier are affected. Any WooCommerce site deploying these plugin versions may expose user data through the plugin’s exposed endpoints or internal data retrieval mechanisms.

Risk and Exploitability

The CVSS score of 5.3 places the issue in the moderate range, and the EPSS score is not available, indicating no clear evidence of high exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by sending unauthenticated requests to the plugin’s data endpoints, potentially retrieving sensitive data without needing any authentication or privileged access. The lack of authentication checks makes exploitation straightforward, but there is no evidence of widespread active exploitation at the time of analysis.

Generated by OpenCVE AI on July 3, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Kit (formerly ConvertKit) for WooCommerce plugin to the latest available version that addresses the data exposure flaw
  • If an upgrade is not immediately possible, disable or remove the plugin from the WordPress site until a patched version is released
  • Configure the site or use a security plugin to ensure that any endpoints related to the Kit plugin require proper authentication before data is returned

Generated by OpenCVE AI on July 3, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Sensitive Data Exposure in Kit (formerly ConvertKit) for WooCommerce <= 2.1.5 versions.
Title WordPress Kit (formerly ConvertKit) for WooCommerce plugin <= 2.1.5 - Sensitive Data Exposure vulnerability
Weaknesses CWE-497
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T19:46:08.227Z

Reserved: 2026-06-25T08:04:34.979Z

Link: CVE-2026-57753

cve-icon Vulnrichment

Updated: 2026-07-02T19:46:03.710Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T13:30:13Z

Weaknesses
  • CWE-497

    Exposure of Sensitive System Information to an Unauthorized Control Sphere