Cyber Posture

CVE-2025-23774

High

Published: 22 January 2025

Published
22 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0030 53.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23774 is a high-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match
prevent

Information Output Filtering directly prevents the insertion of sensitive data into transmitted responses by filtering outputs prior to transmission.

SI-2 Flaw Remediation good match
prevent

Flaw Remediation requires timely patching of the vulnerable WPDB to Sql plugin to eliminate the sensitive data exposure vulnerability.

AU-13 Monitoring for Information Disclosure partial match
detect

Monitoring for Information Disclosure enables detection of unauthorized sensitive data leaks in transmitted data from the plugin.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
Why these techniques?

Sensitive data exposure in public-facing WordPress plugin enables remote collection of confidential data from local system (T1005) via exploitation of public-facing app (T1190).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Insertion of Sensitive Information Into Sent Data vulnerability in Niket Joshi WPDB to Sql wpdb-to-sql allows Retrieve Embedded Sensitive Data.This issue affects WPDB to Sql: from n/a through <= 1.2.

Deeper analysisAI

CVE-2025-23774 is an Insertion of Sensitive Information Into Sent Data vulnerability (CWE-201) in the WPDB to Sql WordPress plugin developed by Niket Joshi. This issue affects all versions of the wpdb-to-sql plugin up to and including 1.2, enabling attackers to retrieve embedded sensitive data that is inadvertently included in transmitted data.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), meaning it can be exploited over the network by unauthenticated attackers requiring low complexity and no user interaction. Successful exploitation allows remote attackers to obtain high-impact confidential information, such as sensitive data embedded in responses, without impacting integrity or availability.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/wpdb-to-sql/vulnerability/wordpress-wpdb-to-sql-plugin-1-2-sensitive-data-exposure-vulnerability?_s_id=cve) documents this sensitive data exposure vulnerability in the WPDB to Sql plugin version 1.2. Security practitioners should consult the advisory for specific mitigation recommendations, such as applying available patches or updates.

Details

CWE(s)
CWE-201

CVEs Like This One

CVE-2024-56300Shared CWE-201
CVE-2026-27934Shared CWE-201
CVE-2025-68033Shared CWE-201
CVE-2026-32538Shared CWE-201
CVE-2025-68035Shared CWE-201
CVE-2026-27406Shared CWE-201
CVE-2025-23781Shared CWE-201
CVE-2025-24582Shared CWE-201
CVE-2026-27370Shared CWE-201
CVE-2026-32829Shared CWE-201

References