Cyber Posture

CVE-2025-23781

High

Published: 22 January 2025

Published
22 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0032 55.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23781 is a high-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match
prevent

SI-15 requires filtering information prior to output to external destinations, directly preventing the insertion and exposure of sensitive data in sent responses from the vulnerable plugin.

SI-2 Flaw Remediation good match
prevent

SI-2 ensures timely remediation of identified flaws, such as patching the WM Options Import Export plugin to eliminate the sensitive data insertion vulnerability.

AU-13 Monitoring for Information Disclosure good match
detect

AU-13 monitors system components for unauthorized retrieval of information, enabling detection of exploitation attempts retrieving embedded sensitive data via this vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability is an unauthenticated remote information disclosure in a public-facing WordPress plugin, directly enabling exploitation of public-facing applications to retrieve sensitive data.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Insertion of Sensitive Information Into Sent Data vulnerability in Web Mumbai WM Options Import Export wm-options-import-export allows Retrieve Embedded Sensitive Data.This issue affects WM Options Import Export: from n/a through <= 1.0.1.

Deeper analysisAI

CVE-2025-23781 is an Insertion of Sensitive Information Into Sent Data vulnerability (CWE-201) in the WM Options Import Export WordPress plugin (wm-options-import-export) developed by Web Mumbai. This issue affects all versions of the plugin from n/a through 1.0.1, enabling attackers to retrieve embedded sensitive data.

The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it can be exploited over the network with low complexity by unauthenticated attackers without requiring user interaction. Successful exploitation allows remote retrieval of sensitive information exposed in sent data, compromising confidentiality but without impacting integrity or availability.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wm-options-import-export/vulnerability/wordpress-wm-options-import-export-plugin-1-0-1-sensitive-data-exposure-vulnerability?_s_id=cve. The vulnerability was published on 2025-01-22T15:15:23.573.

Details

CWE(s)
CWE-201

CVEs Like This One

CVE-2026-27934Shared CWE-201
CVE-2025-68033Shared CWE-201
CVE-2026-32538Shared CWE-201
CVE-2025-68035Shared CWE-201
CVE-2026-27406Shared CWE-201
CVE-2025-24582Shared CWE-201
CVE-2026-27370Shared CWE-201
CVE-2025-22303Shared CWE-201
CVE-2025-67931Shared CWE-201
CVE-2025-23774Shared CWE-201

References