CVE-2025-12677
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-11-05
Last updated on: 2025-11-06
Assigner: Wordfence
Description
Description
The KiotViet Sync plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.5 via the register_api_route() function in kiotvietsync/includes/public_actions/WebHookAction.php. This makes it possible for unauthenticated attackers to extract the webhook token value when configured.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kiotviet | sync_plugin | 1.8.5 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The KiotViet Sync plugin for WordPress has a vulnerability in all versions up to 1.8.5 where unauthenticated attackers can exploit the register_api_route() function to extract the webhook token value. This is a Sensitive Information Exposure vulnerability.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to obtain the webhook token, which could potentially be used to access or manipulate webhook-related functionality, leading to unauthorized access or data exposure.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70