CVE-2025-62039
Published: 06 November 2025
Summary
CVE-2025-62039 is a high-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked in the top 14.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.
Deeper analysis
The vulnerability CVE-2025-62039 is an insertion of sensitive information into sent data flaw, tracked as CWE-201, in the AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin. It affects all versions from n/a through 2.6.6 and carries a CVSS 3.1 score of 7.5.
Unauthenticated attackers with network access can exploit the issue without credentials or user interaction to retrieve embedded sensitive data from responses generated by the plugin, producing a high confidentiality impact while leaving integrity and availability unaffected.
The sole reference advisory from Patchstack describes the flaw as a sensitive data exposure vulnerability in the listed plugin versions and provides a public entry for tracking remediation.
EPSS remains low, with a current value of 0.0261 and a peak of 0.0325.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-38082
Vulnerability details
Insertion of Sensitive Information Into Sent Data vulnerability in Ays Pro AI ChatBot with ChatGPT and Content Generator by AYS ays-chatgpt-assistant allows Retrieve Embedded Sensitive Data.This issue affects AI ChatBot with ChatGPT and Content Generator by AYS: from n/a through…
more
<= 2.6.6.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, chatgpt
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote retrieval of embedded sensitive data from the ChatGPT-integrated WordPress plugin, likely including API keys or application access tokens, facilitating exploitation for credential access (T1212) and stealing application access tokens (T1528).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Embedding taints allows detection when sensitive data is inserted into outbound or sent data streams.