CVE-2025-23781
Published: 22 January 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-23781 is an Insertion of Sensitive Information Into Sent Data vulnerability (CWE-201) in the WM Options Import Export WordPress plugin (wm-options-import-export) developed by Web Mumbai. This issue affects all versions of the plugin from n/a through 1.0.1, enabling attackers to retrieve embedded sensitive data.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it can be exploited over the network with low complexity by unauthenticated attackers without requiring user interaction. Successful exploitation allows remote retrieval of sensitive information exposed in sent data, compromising confidentiality but without impacting integrity or availability.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wm-options-import-export/vulnerability/wordpress-wm-options-import-export-plugin-1-0-1-sensitive-data-exposure-vulnerability?_s_id=cve. The vulnerability was published on 2025-01-22T15:15:23.573.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an information disclosure issue in a public-facing WordPress plugin, directly enabling remote unauthenticated exploitation of an internet-facing application to retrieve sensitive data.