CVE-2025-2942

The Order Delivery Date WordPress plugin before 12.6.0 discloses arbitrary post title (such as from draft and private posts) via an unauthenticated AJAX action, allowing attackers to retrieve such information
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
WPScanCNA
---
---
CISA-ADPADP
4.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 19%
VendorProductVersion
tychesoftwaresorder_delivery_date_for_woocommerce
𝑥
< 12.6.0
𝑥
= Vulnerable software versions
References
https://wpscan.com/vulnerability/13a87567-2cf7-4bfb-8d63-a8e74950978f/
https://wpscan.com/vulnerability/13a87567-2cf7-4bfb-8d63-a8e74950978f/