CVE-2026-39570
Sensitive Data Exposure in 12 Step Meeting List via Data Insertion
Publication date: 2026-04-08
Last updated on: 2026-04-14
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39570 is a Sensitive Data Exposure vulnerability found in the WordPress 12 Step Meeting List Plugin versions up to and including 3.19.9.
This vulnerability allows unauthenticated attackers to access sensitive information that is normally restricted from regular users.
No special privileges are required to exploit this vulnerability.
The issue is classified under the OWASP Top 10 category A3: Sensitive Data Exposure.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to unauthorized access to sensitive information that should be protected.
This exposure could potentially enable further exploitation of the affected system.
The vulnerability has a CVSS severity score of 5.3, indicating a low priority threat, but it has been used in mass-exploit campaigns targeting many websites.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to access sensitive information that is normally restricted, which could lead to exposure of personal or sensitive data.
Such exposure of sensitive data may impact compliance with data protection regulations like GDPR and HIPAA, as these standards require protection of sensitive information from unauthorized access.
Organizations using affected versions of the plugin should update to the patched version 3.19.10 or later to mitigate the risk and help maintain compliance with these regulations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability in the WordPress 12 Step Meeting List Plugin, users should update the plugin to version 3.19.10 or later, where the issue has been patched.
Additionally, using services like Patchstack's mitigation offerings, which include auto-updates for vulnerable plugins, can help reduce the risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the WordPress 12 Step Meeting List Plugin versions up to and including 3.19.9. Detection involves identifying if this vulnerable plugin version is installed on your WordPress site.
To detect the vulnerability on your system, you can check the installed plugin version by accessing your WordPress admin dashboard or by inspecting the plugin files directly.
- Use WP-CLI command to list installed plugins and their versions: wp plugin list
- Look for '12-step-meeting-list' plugin and verify if the version is less than or equal to 3.19.9.
- Alternatively, you can check the plugin version by examining the plugin's main PHP file header in the WordPress plugins directory.
Network detection of exploitation attempts may involve monitoring HTTP requests for unusual access patterns to the plugin endpoints that could expose sensitive data, but no specific commands or signatures are provided.