Impact
Unauthenticated users can retrieve confidential data stored or managed by the Kit plugin when it runs under WordPress with WooCommerce in versions up to 2.1.5. The vulnerability is tied to CWE‑497, meaning the plugin fails to properly safeguard data before making it available to unauthenticated parties. This flaw can expose personal information, transaction details, or other sensitive content to anyone who can reach the vulnerable interfaces, thereby compromising confidentiality.
Affected Systems
WordPress installations that use the Nathanbarry:Kit (formerly ConvertKit) for WooCommerce plugin with a version of 2.1.5 or earlier are affected. Any WooCommerce site deploying these plugin versions may expose user data through the plugin’s exposed endpoints or internal data retrieval mechanisms.
Risk and Exploitability
The CVSS score of 5.3 places the issue in the moderate range, and the EPSS score is not available, indicating no clear evidence of high exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by sending unauthenticated requests to the plugin’s data endpoints, potentially retrieving sensitive data without needing any authentication or privileged access. The lack of authentication checks makes exploitation straightforward, but there is no evidence of widespread active exploitation at the time of analysis.
OpenCVE Enrichment