{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-42379", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-27T08:22:05.095Z", "datePublished": "2026-04-27T08:26:37.727Z", "dateUpdated": "2026-04-27T10:31:24.329Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-27T08:26:37.727Z"}, "title": "WordPress Templately plugin <= 3.6.1 - Sensitive Data Exposure vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-201", "description": "CWE-201 Insertion of Sensitive Information Into Sent Data", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "CAPEC-37 Retrieve Embedded Sensitive Data"}]}], "affected": [{"vendor": "WPDeveloper", "product": "Templately", "collectionURL": "https://wordpress.org/plugins", "packageName": "templately", "versions": [{"status": "affected", "version": "n/a", "lessThanOrEqual": "3.6.1", "changes": [{"at": "3.6.2", "status": "unaffected"}], "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data.This issue affects Templately: from n/a through 3.6.1.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data.<p>This issue affects Templately: from n/a through 3.6.1.</p>"}]}], "tags": ["x_open-source"], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/templately/vulnerability/wordpress-templately-plugin-3-6-1-sensitive-data-exposure-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 7.7, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"}}], "solutions": [{"lang": "en", "value": "Update the WordPress Templately Plugin to the latest available version (at least 3.6.2).", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Update the WordPress Templately Plugin to the latest available version (at least 3.6.2)."}]}], "credits": [{"lang": "en", "value": "Ananda Dhakal | Patchstack", "user": "00000000-0000-4000-9000-000000000000", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T10:30:49.907519Z", "id": "CVE-2026-42379", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T10:31:24.329Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-42379", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T10:30:49.907519Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T10:31:13.969Z"}}], "cna": {"tags": ["x_open-source"], "title": "WordPress Templately plugin <= 3.6.1 - Sensitive Data Exposure vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Ananda Dhakal | Patchstack"}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "CAPEC-37 Retrieve Embedded Sensitive Data"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "WPDeveloper", "product": "Templately", "versions": [{"status": "affected", "changes": [{"at": "3.6.2", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "3.6.1"}], "packageName": "templately", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update the WordPress Templately Plugin to the latest available version (at least 3.6.2).", "supportingMedia": [{"type": "text/html", "value": "Update the WordPress Templately Plugin to the latest available version (at least 3.6.2).", "base64": false}]}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/templately/vulnerability/wordpress-templately-plugin-3-6-1-sensitive-data-exposure-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data.This issue affects Templately: from n/a through 3.6.1.", "supportingMedia": [{"type": "text/html", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data.<p>This issue affects Templately: from n/a through 3.6.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-201", "description": "CWE-201 Insertion of Sensitive Information Into Sent Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-27T08:26:37.727Z"}}}, "cveMetadata": {"cveId": "CVE-2026-42379", "state": "PUBLISHED", "dateUpdated": "2026-04-27T10:31:24.329Z", "dateReserved": "2026-04-27T08:22:05.095Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-27T08:26:37.727Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data.This issue affects Templately: from n/a through 3.6.1."}], "id": "CVE-2026-42379", "lastModified": "2026-04-27T18:37:59.213", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-04-27T09:16:02.043", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/wordpress/plugin/templately/vulnerability/wordpress-templately-plugin-3-6-1-sensitive-data-exposure-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-201"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.6.1]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "3.6.2"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 81.0, "source": "matching"}]}, "original": {"product": "Templately", "source": "cna", "vendor": "WPDeveloper"}, "product": "templately", "vendor": "wpdevteam"}], "analysis": {"en": {"generated_at": "2026-04-28T04:41:54.423749+00:00", "value": {"mitigation_remediation": ["Upgrade the WordPress Templately plugin to version 3.6.2 or newer to remove the data exposure flaw", "Restrict or disable the plugin on sites where an update cannot be applied promptly, limiting the exposure surface", "Conduct a review of content that may have been exposed through the vulnerable plugin and remove or secure any sensitive information that was inadvertently leaked"], "summary": {"action": "Patch Update", "impact": "Sensitive data exposure (confidentiality compromise)"}, "threat_synthesis": {"affected_systems": "The issue affects the WPDeveloper Templately plugin for WordPress, introducing the vulnerability in all releases up through and including version 3.6.1. Sites running any of these versions are at risk, regardless of the number of users or the level of access granted to the plugin.", "description_and_impact": "A flaw in the WordPress Templately plugin allows the insertion of sensitive information into data that is transmitted back to the requester. The vulnerability is classified as CWE\u2011201 and permits an attacker to retrieve embedded sensitive data, thus exposing confidential information that should not be publicly available.", "risk_and_exploitability": "The CVSS score of 7.7 describes a high severity data confidentiality impact. The EPSS score of less than one percent implies a low likelihood of current exploitation, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a request to the plugin\u2019s endpoint or API that inadvertently returns sensitive data, potentially exploitable by anyone who can invoke that route. The threat primarily endangers data confidentiality rather than system integrity or availability."}}}}, "created": "2026-04-28T04:45:22.553227+00:00", "updated": "2026-04-28T08:30:13.041572+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpdevteam", "wpdevteam$PRODUCT$templately"]}