CVE-2026-42379
Sensitive Data Exposure in WPDeveloper Templately via Data Insertion
Publication date: 2026-04-27
Last updated on: 2026-04-27
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpdeveloper | templately | to 3.6.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects WordPress Templately Plugin versions up to and including 3.6.1 and allows users with Contributor or Developer privileges to access sensitive information. Detection involves verifying the plugin version installed on your system.
You can check the installed version of the Templately plugin on your WordPress site by running commands or using the WordPress admin interface.
- Use WP-CLI command to check the plugin version: wp plugin list | grep templately
- Alternatively, check the plugin version in the WordPress admin dashboard under Plugins.
If the version is 3.6.1 or lower, your system is vulnerable. There are no specific network detection commands provided for this vulnerability.
Can you explain this vulnerability to me?
CVE-2026-42379 is a Sensitive Data Exposure vulnerability in the WordPress Templately Plugin versions up to and including 3.6.1.
This vulnerability allows malicious actors who have Contributor or Developer privileges to access sensitive information that is normally restricted from regular users.
Such exposure can facilitate further exploitation of other system weaknesses.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to sensitive information by users with Contributor or Developer privileges.
This exposure of sensitive data can increase the risk of further exploitation of other vulnerabilities within the system.
Although the CVSS score is high (7.7), the priority is rated low due to limited impact and exploitation likelihood.
However, the vulnerability is commonly exploited in mass campaigns targeting many websites regardless of their popularity.
Immediate remediation by updating the plugin to version 3.6.2 or later is strongly advised to mitigate the risk.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to update the WordPress Templately Plugin to version 3.6.2 or later, where the vulnerability has been patched.
If automatic updates are available through Patchstack or your hosting provider, use them to quickly apply the patch.
If updating immediately is not possible, restrict Contributor or Developer privileges to trusted users only to reduce the risk of exploitation.
Seek assistance from your hosting provider or developers to ensure the plugin is updated and properly secured.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the WordPress Templately Plugin allows unauthorized access to sensitive information by users with Contributor or Developer privileges. Exposure of sensitive data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls over the confidentiality and integrity of personal and sensitive information.
Since the vulnerability is classified under OWASP Top 10 category A3: Sensitive Data Exposure and has a high CVSS score of 7.7, it represents a significant risk to the confidentiality of sensitive data. Organizations using affected versions of the plugin may face compliance issues if sensitive data is exposed due to this vulnerability.
Mitigation by updating to version 3.6.2 or later is strongly advised to reduce the risk of sensitive data exposure and help maintain compliance with relevant standards and regulations.