PT-2025-19907 · WordPress · Wp Smartpay
Kenneth Dunn
·
Published
2025-05-07
·
Updated
2025-05-07
·
CVE-2025-3851
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
WP SmartPay plugin for WordPress versions 1.1.0 through 2.7.13
Description
The issue allows authenticated attackers with Subscriber-level access and above to view other users' data, including email addresses, names, and notes, due to missing validation on a user-controlled key in the
show() function.Recommendations
For WP SmartPay plugin for WordPress versions 1.1.0 through 2.7.13, consider disabling the
show() function until a patch is available to prevent exploitation. Restrict access to sensitive user data to minimize the risk of unauthorized access.Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wp Smartpay