CVE-2026-39570
Received Received - Intake
Sensitive Data Exposure in 12 Step Meeting List via Data Insertion

Publication date: 2026-04-08

Last updated on: 2026-04-14

Assigner: Patchstack

Description
Insertion of Sensitive Information Into Sent Data vulnerability in AA Web Servant 12 Step Meeting List 12-step-meeting-list allows Retrieve Embedded Sensitive Data.This issue affects 12 Step Meeting List: from n/a through <= 3.19.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39570
EUVD
EUVD-2026-20217
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to access sensitive information that is normally restricted, which could lead to exposure of personal or sensitive data.

Such exposure of sensitive data may impact compliance with data protection regulations like GDPR and HIPAA, as these standards require protection of sensitive information from unauthorized access.

Organizations using affected versions of the plugin should update to the patched version 3.19.10 or later to mitigate the risk and help maintain compliance with these regulations.

Detection Guidance

This vulnerability affects the WordPress 12 Step Meeting List Plugin versions up to and including 3.19.9. Detection involves identifying if this vulnerable plugin version is installed on your WordPress site.

To detect the vulnerability on your system, you can check the installed plugin version by accessing your WordPress admin dashboard or by inspecting the plugin files directly.

  • Use WP-CLI command to list installed plugins and their versions: wp plugin list
  • Look for '12-step-meeting-list' plugin and verify if the version is less than or equal to 3.19.9.
  • Alternatively, you can check the plugin version by examining the plugin's main PHP file header in the WordPress plugins directory.

Network detection of exploitation attempts may involve monitoring HTTP requests for unusual access patterns to the plugin endpoints that could expose sensitive data, but no specific commands or signatures are provided.

Executive Summary

CVE-2026-39570 is a Sensitive Data Exposure vulnerability found in the WordPress 12 Step Meeting List Plugin versions up to and including 3.19.9.

This vulnerability allows unauthenticated attackers to access sensitive information that is normally restricted from regular users.

No special privileges are required to exploit this vulnerability.

The issue is classified under the OWASP Top 10 category A3: Sensitive Data Exposure.

Impact Analysis

Exploitation of this vulnerability can lead to unauthorized access to sensitive information that should be protected.

This exposure could potentially enable further exploitation of the affected system.

The vulnerability has a CVSS severity score of 5.3, indicating a low priority threat, but it has been used in mass-exploit campaigns targeting many websites.

Mitigation Strategies

To mitigate the vulnerability in the WordPress 12 Step Meeting List Plugin, users should update the plugin to version 3.19.10 or later, where the issue has been patched.

Additionally, using services like Patchstack's mitigation offerings, which include auto-updates for vulnerable plugins, can help reduce the risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39570. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart