CVE-2026-32354
Insertion of Sensitive Data Vulnerability in WpEvently
Publication date: 2026-03-13
Last updated on: 2026-03-17
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| magepeople | wp_evently | to 5.1.9 (exc) |
| magepeopleteam | wp_evently | to 5.1.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32354 is a vulnerability in the WordPress WpEvently Plugin versions prior to 5.1.9 that allows unauthenticated attackers to access sensitive information that should normally be restricted. This issue is classified under the OWASP Top 10 category A3 (Sensitive Data Exposure). The vulnerability involves the insertion of sensitive information into sent data, which can be retrieved by attackers without any privileges.
How can this vulnerability impact me? :
This vulnerability can lead to exposure of sensitive data to unauthorized users. Although the severity is rated as low with a CVSS score of 5.3, the exposure of sensitive information could potentially be leveraged by attackers to exploit other weaknesses in the system. Since no privileges are required to exploit this vulnerability, it poses a risk of data leakage to unauthenticated users.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability affects WordPress sites using the WpEvently plugin versions prior to 5.1.9. To detect if your system is vulnerable, you should check the installed version of the WpEvently plugin.'}, {'type': 'list_item', 'content': 'On a WordPress server, you can check the plugin version by running the following command in the WordPress plugins directory:'}, {'type': 'list_item', 'content': "grep 'Version:' wp-eventpress/plugin-file.php"}, {'type': 'paragraph', 'content': 'Alternatively, you can check the plugin version from the WordPress admin dashboard under Plugins. If the version is less than 5.1.9, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'Since the vulnerability allows unauthenticated access to sensitive data, monitoring network traffic for suspicious requests targeting the WpEvently plugin endpoints may help detect exploitation attempts, but no specific commands for network detection are provided.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to update the WpEvently plugin to version 5.1.9 or later, where the vulnerability has been patched.
Additionally, enabling auto-updates for the plugin can help ensure that future vulnerabilities are patched promptly.
Since the vulnerability requires no privileges to exploit, restricting access to the plugin endpoints via firewall rules or web application firewall (WAF) rules may provide temporary protection until the update is applied.