CVE-2025-24582
Published: 24 January 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-24582 is an Insertion of Sensitive Information Into Sent Data vulnerability (CWE-201) in the WordPress plugin AA Web Servant 12 Step Meeting List, also referred to as 12-step-meeting-list. The issue affects all versions of the plugin from n/a through 3.16.5, enabling attackers to retrieve embedded sensitive data.
With a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), the vulnerability can be exploited by unauthenticated attackers over the network with low attack complexity and no user interaction required. Successful exploitation allows retrieval of embedded sensitive data, resulting in a low-impact confidentiality violation.
Patchstack provides details on this sensitive data exposure vulnerability in the WordPress 12-step-meeting-list plugin version 3.16.5. For mitigation guidance and patch information, refer to the advisory at https://patchstack.com/database/Wordpress/Plugin/12-step-meeting-list/vulnerability/wordpress-12-step-meeting-list-plugin-3-16-5-sensitive-data-exposure-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an information disclosure flaw in a publicly accessible WordPress plugin, directly enabling exploitation via T1190 (Exploit Public-Facing Application) to retrieve embedded sensitive data over the network.