CVE-2025-2942

EUVD-2025-21114
The Order Delivery Date WordPress plugin before 12.6.0 discloses arbitrary post title (such as from draft and private posts) via an unauthenticated AJAX action, allowing attackers to retrieve such information
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CISA-ADPADP
4.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 11%
Affected Products (NVD)
VendorProductVersion
tychesoftwaresorder_delivery_date_for_woocommerce
𝑥
< 12.6.0
𝑥
= Vulnerable software versions
References
https://wpscan.com/vulnerability/13a87567-2cf7-4bfb-8d63-a8e74950978f/
https://wpscan.com/vulnerability/13a87567-2cf7-4bfb-8d63-a8e74950978f/