CVE-2025-23781
Published: 22 January 2025
Summary
CVE-2025-23781 is a high-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-23781 is an Insertion of Sensitive Information Into Sent Data vulnerability (CWE-201) in the WM Options Import Export WordPress plugin (wm-options-import-export) developed by Web Mumbai. This issue affects all versions of the plugin from n/a through 1.0.1, enabling attackers to retrieve embedded sensitive data.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it can be exploited over the network with low complexity by unauthenticated attackers without requiring user interaction. Successful exploitation allows remote retrieval of sensitive information exposed in sent data, compromising confidentiality but without impacting integrity or availability.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wm-options-import-export/vulnerability/wordpress-wm-options-import-export-plugin-1-0-1-sensitive-data-exposure-vulnerability?_s_id=cve. The vulnerability was published on 2025-01-22T15:15:23.573.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3414
Vulnerability details
Insertion of Sensitive Information Into Sent Data vulnerability in Web Mumbai WM Options Import Export wm-options-import-export allows Retrieve Embedded Sensitive Data.This issue affects WM Options Import Export: from n/a through <= 1.0.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated remote information disclosure in a public-facing WordPress plugin, directly enabling exploitation of public-facing applications to retrieve sensitive data.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-15 requires filtering information prior to output to external destinations, directly preventing the insertion and exposure of sensitive data in sent responses from the vulnerable plugin.
SI-2 ensures timely remediation of identified flaws, such as patching the WM Options Import Export plugin to eliminate the sensitive data insertion vulnerability.
AU-13 monitors system components for unauthorized retrieval of information, enabling detection of exploitation attempts retrieving embedded sensitive data via this vulnerability.