Cyber Resilience

CVE-2026-42379

High

Published: 27 April 2026

Published
27 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0004 12.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42379 is a high-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 12.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-42379 is an Insertion of Sensitive Information Into Sent Data vulnerability (CWE-201) in the WPDeveloper Templately WordPress plugin, affecting all versions from n/a through 3.6.1. Published on 2026-04-27, it enables the retrieval of embedded sensitive data and carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to network accessibility and significant confidentiality impact.

The vulnerability can be exploited by a low-privileged authenticated user (PR:L) over the network with low attack complexity and no user interaction. Exploitation changes scope (S:C) and results in high confidentiality impact (C:H), allowing the attacker to retrieve sensitive data embedded in sent data without affecting integrity or availability.

Patchstack's advisory at https://patchstack.com/database/wordpress/plugin/templately/vulnerability/wordpress-templately-plugin-3-6-1-sensitive-data-exposure-vulnerability?_s_id=cve documents this sensitive data exposure issue in Templately version 3.6.1, providing details relevant to mitigation and patching for affected WordPress installations.

EU & UK References

Vulnerability details

Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data.This issue affects Templately: from n/a through 3.6.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

The vulnerability enables unauthorized retrieval of sensitive data embedded in responses from the WordPress plugin, directly facilitating collection of sensitive data from local system sources.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-56300Shared CWE-201
CVE-2025-23774Shared CWE-201
CVE-2025-68033Shared CWE-201
CVE-2026-32538Shared CWE-201
CVE-2025-68035Shared CWE-201
CVE-2026-20151Shared CWE-201
CVE-2026-27370Shared CWE-201
CVE-2026-39912Shared CWE-201
CVE-2026-42673Shared CWE-201
CVE-2026-32829Shared CWE-201

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the specific flaw in the Templately plugin that inserts sensitive information into sent data by identifying, prioritizing, and applying patches or updates.

prevent

Filters information prior to output from the WordPress plugin to prevent sensitive data from being embedded and sent, comprehensively addressing CWE-201 insertion vulnerability.

prevent

Enforces least privilege to restrict low-privileged users (PR:L) from accessing the vulnerable plugin functionality that exposes embedded sensitive data.

References