Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data. This issue affects Templately: from n/a through 3.2.7.
The vulnerability lies in the fact that the plugin incorrectly attaches sensitive information to data sent in network responses or requests. An attacker can intercept or otherwise retrieve this data without requiring authentication and without any user interaction. Due to the network vector (AV:N) and lack of permission requirements (PR:N) and user interaction (UI:N), the attack can be conducted remotely by anyone with access to the network.
An attacker can gain access to sensitive data embedded in transmitted information, which may lead to violations of confidentiality, integrity and system availability — including potentially credential theft or further attack escalation.
The Templately plugin should be updated to a version higher than 3.2.7. Detailed information about the available patch can be found in the vendor references and in the Patchstack database.
The WPDeveloper Templately plugin for WordPress in versions from n/a to 3.2.7 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H