CVE-2026-42379
Published: 27 April 2026
Summary
CVE-2026-42379 is a high-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 12.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-42379 is an Insertion of Sensitive Information Into Sent Data vulnerability (CWE-201) in the WPDeveloper Templately WordPress plugin, affecting all versions from n/a through 3.6.1. Published on 2026-04-27, it enables the retrieval of embedded sensitive data and carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to network accessibility and significant confidentiality impact.
The vulnerability can be exploited by a low-privileged authenticated user (PR:L) over the network with low attack complexity and no user interaction. Exploitation changes scope (S:C) and results in high confidentiality impact (C:H), allowing the attacker to retrieve sensitive data embedded in sent data without affecting integrity or availability.
Patchstack's advisory at https://patchstack.com/database/wordpress/plugin/templately/vulnerability/wordpress-templately-plugin-3-6-1-sensitive-data-exposure-vulnerability?_s_id=cve documents this sensitive data exposure issue in Templately version 3.6.1, providing details relevant to mitigation and patching for affected WordPress installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25797
Vulnerability details
Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data.This issue affects Templately: from n/a through 3.6.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthorized retrieval of sensitive data embedded in responses from the WordPress plugin, directly facilitating collection of sensitive data from local system sources.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the specific flaw in the Templately plugin that inserts sensitive information into sent data by identifying, prioritizing, and applying patches or updates.
Filters information prior to output from the WordPress plugin to prevent sensitive data from being embedded and sent, comprehensively addressing CWE-201 insertion vulnerability.
Enforces least privilege to restrict low-privileged users (PR:L) from accessing the vulnerable plugin functionality that exposes embedded sensitive data.