Cyber Resilience

CVE-2025-23781

High

Published: 22 January 2025

Published
22 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0032 55.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23781 is a high-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-23781 is an Insertion of Sensitive Information Into Sent Data vulnerability (CWE-201) in the WM Options Import Export WordPress plugin (wm-options-import-export) developed by Web Mumbai. This issue affects all versions of the plugin from n/a through 1.0.1, enabling attackers to retrieve embedded sensitive data.

The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it can be exploited over the network with low complexity by unauthenticated attackers without requiring user interaction. Successful exploitation allows remote retrieval of sensitive information exposed in sent data, compromising confidentiality but without impacting integrity or availability.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wm-options-import-export/vulnerability/wordpress-wm-options-import-export-plugin-1-0-1-sensitive-data-exposure-vulnerability?_s_id=cve. The vulnerability was published on 2025-01-22T15:15:23.573.

EU & UK References

Vulnerability details

Insertion of Sensitive Information Into Sent Data vulnerability in Web Mumbai WM Options Import Export wm-options-import-export allows Retrieve Embedded Sensitive Data.This issue affects WM Options Import Export: from n/a through <= 1.0.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an unauthenticated remote information disclosure in a public-facing WordPress plugin, directly enabling exploitation of public-facing applications to retrieve sensitive data.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-68033Shared CWE-201
CVE-2026-32538Shared CWE-201
CVE-2025-68035Shared CWE-201
CVE-2026-27370Shared CWE-201
CVE-2024-13254Shared CWE-201
CVE-2026-27934Shared CWE-201
CVE-2026-27406Shared CWE-201
CVE-2025-24582Shared CWE-201
CVE-2024-13259Shared CWE-201
CVE-2025-67931Shared CWE-201

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-15 requires filtering information prior to output to external destinations, directly preventing the insertion and exposure of sensitive data in sent responses from the vulnerable plugin.

prevent

SI-2 ensures timely remediation of identified flaws, such as patching the WM Options Import Export plugin to eliminate the sensitive data insertion vulnerability.

detect

AU-13 monitors system components for unauthorized retrieval of information, enabling detection of exploitation attempts retrieving embedded sensitive data via this vulnerability.

References