CVE-2025-47540 - Vulnerability Details - OpenCVE

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs weMail allows Retrieve Embedded Sensitive Data. This issue affects weMail: from n/a through 1.14.13.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Wedevs	Wemail

Configuration 1 [-]

cpe:2.3:a:wedevs:wemail:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://patchstack.com/database/wordpress/plugin/wemail/vulnerability/wordpress-wemail-1-14-13-sensitive-data-exposure-vulnerability?_s_id=cve

History

Mon, 14 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00042}`	epss `{'score': 0.00044}`

Mon, 09 Jun 2025 17:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wedevs Wedevs wemail
Weaknesses		NVD-CWE-Other
CPEs		cpe:2.3:a:wedevs:wemail::::::wordpress::*
Vendors & Products		Wedevs Wedevs wemail

Wed, 07 May 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 07 May 2025 14:45:00 +0000

Type	Values Removed	Values Added
Description		Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs weMail allows Retrieve Embedded Sensitive Data. This issue affects weMail: from n/a through 1.14.13.
Title		WordPress weMail <= 1.14.13 - Sensitive Data Exposure Vulnerability
Weaknesses		CWE-497
References		https://patchstack.com/database/wordpress/plugin/wemail/vulnerability/wordpress-wemail-1-14-13-sensitive-data-exposure-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-05-07T14:20:14.711Z

Updated: 2025-05-07T18:17:31.465Z

Reserved: 2025-05-07T09:39:53.906Z

Link: CVE-2025-47540

Vulnrichment

Updated: 2025-05-07T17:20:01.969Z

NVD

Status : Analyzed

Published: 2025-05-07T15:16:10.720

Modified: 2025-06-09T17:04:28.477

Link: CVE-2025-47540

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-47540", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-05-07T09:39:53.906Z", "datePublished": "2025-05-07T14:20:14.711Z", "dateUpdated": "2025-05-07T18:17:31.465Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2025-05-07T14:20:14.711Z"}, "title": "WordPress weMail <= 1.14.13 - Sensitive Data Exposure Vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-497", "description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere", "lang": "en", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "CAPEC-37 Retrieve Embedded Sensitive Data"}]}], "affected": [{"vendor": "weDevs", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wemail", "product": "weMail", "versions": [{"lessThanOrEqual": "1.14.13", "status": "affected", "version": "n/a", "versionType": "custom", "changes": [{"at": "1.14.14", "status": "unaffected"}]}]}], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs weMail allows Retrieve Embedded Sensitive Data. This issue affects weMail: from n/a through 1.14.13.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs weMail allows Retrieve Embedded Sensitive Data.</p><p>This issue affects weMail: from n/a through 1.14.13.</p>"}]}], "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/wordpress/plugin/wemail/vulnerability/wordpress-wemail-1-14-13-sensitive-data-exposure-vulnerability?_s_id=cve"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseSeverity": "MEDIUM", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "version": "3.1"}}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update the WordPress weMail plugin to the latest available version (at least 1.14.14)."}], "value": "Update the WordPress weMail plugin to the latest available version (at least 1.14.14)."}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Denver Jackson (Patchstack Alliance)"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-07T17:20:00.626279Z", "id": "CVE-2025-47540", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-07T18:17:31.465Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-47540", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-05-07T09:39:53.906Z", "datePublished": "2025-05-07T14:20:14.711Z", "dateUpdated": "2025-05-07T18:17:31.465Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2025-05-07T14:20:14.711Z"}, "title": "WordPress weMail <= 1.14.13 - Sensitive Data Exposure Vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-497", "description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere", "lang": "en", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "CAPEC-37 Retrieve Embedded Sensitive Data"}]}], "affected": [{"vendor": "weDevs", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wemail", "product": "weMail", "versions": [{"lessThanOrEqual": "1.14.13", "status": "affected", "version": "n/a", "versionType": "custom", "changes": [{"at": "1.14.14", "status": "unaffected"}]}]}], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs weMail allows Retrieve Embedded Sensitive Data. This issue affects weMail: from n/a through 1.14.13.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs weMail allows Retrieve Embedded Sensitive Data.</p><p>This issue affects weMail: from n/a through 1.14.13.</p>"}]}], "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/wordpress/plugin/wemail/vulnerability/wordpress-wemail-1-14-13-sensitive-data-exposure-vulnerability?_s_id=cve"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseSeverity": "MEDIUM", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "version": "3.1"}}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update the WordPress weMail plugin to the latest available version (at least 1.14.14)."}], "value": "Update the WordPress weMail plugin to the latest available version (at least 1.14.14)."}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Denver Jackson (Patchstack Alliance)"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-47540", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-07T17:20:00.626279Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-07T17:20:01.969Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wedevs:wemail:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "3F1CE9D0-EB60-452B-ACEC-AAF0BFB5A7E8", "versionEndExcluding": "1.14.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs weMail allows Retrieve Embedded Sensitive Data. This issue affects weMail: from n/a through 1.14.13."}, {"lang": "es", "value": "Exposici\u00f3n de informaci\u00f3n confidencial del sistema a una vulnerabilidad de esfera de control no autorizada en weDevs weMail, que permite recuperar datos confidenciales incrustados. Este problema afecta a weMail desde n/d hasta la versi\u00f3n 1.14.13."}], "id": "CVE-2025-47540", "lastModified": "2025-06-09T17:04:28.477", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-05-07T15:16:10.720", "references": [{"source": "audit@patchstack.com", "tags": ["Third Party Advisory"], "url": "https://patchstack.com/database/wordpress/plugin/wemail/vulnerability/wordpress-wemail-1-14-13-sensitive-data-exposure-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-497"}], "source": "audit@patchstack.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}