CVE-2025-68035
BaseFortify
Publication date: 2026-01-22
Last updated on: 2026-01-28
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tabbyai | tabby_checkout | to 5.8.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-68035 is a Sensitive Data Exposure vulnerability in the WordPress Tabby Checkout Plugin (versions up to 5.8.4). It allows unauthenticated attackers to retrieve embedded sensitive information that should normally be restricted. This means attackers can access sensitive data without needing any privileges, posing a significant security risk. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive information on your website, potentially enabling further exploitation of your system. Since it requires no privileges to exploit, it increases the risk of data breaches and compromises the confidentiality of sensitive data handled by the Tabby Checkout plugin. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific commands provided to detect this vulnerability on your network or system. However, since the vulnerability allows unauthenticated access to sensitive data, monitoring for unusual or unauthorized access attempts to the Tabby Checkout plugin endpoints could help detect exploitation attempts. Using security monitoring tools that support Patchstack's automated vulnerability mitigation and continuous security monitoring is recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the mitigation rule released by Patchstack to block attacks targeting this vulnerability until an official patch is available. Users are strongly advised to implement this mitigation immediately to protect their websites. Additionally, employing Patchstack's automated vulnerability mitigation and continuous security monitoring can help safeguard affected WordPress installations. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to access sensitive information that should normally be restricted, which could lead to non-compliance with data protection standards and regulations such as GDPR and HIPAA. Exposure of sensitive data may violate requirements for protecting personal and health information, potentially resulting in legal and regulatory consequences. However, the provided resources do not explicitly discuss compliance impacts. [1]