CVE-2025-12677
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-05

Last updated on: 2025-11-06

Assigner: Wordfence

Description
The KiotViet Sync plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.5 via the register_api_route() function in kiotvietsync/includes/public_actions/WebHookAction.php. This makes it possible for unauthenticated attackers to extract the webhook token value when configured.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-05
Last Modified
2025-11-06
Generated
2026-06-17
AI Q&A
2025-11-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12677
EUVD
EUVD-2025-37789
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kiotviet sync_plugin 1.8.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The KiotViet Sync plugin for WordPress has a vulnerability in all versions up to 1.8.5 where unauthenticated attackers can exploit the register_api_route() function to extract the webhook token value. This is a Sensitive Information Exposure vulnerability.

Impact Analysis

This vulnerability allows unauthenticated attackers to obtain the webhook token, which could potentially be used to access or manipulate webhook-related functionality, leading to unauthorized access or data exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12677. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart