CVE-2024-35690
Deferred Deferred - Pending Action
Sensitive Data Exposure in Widget Options

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Insertion of sensitive information into sent data vulnerability in MarketingFire Widget Options allows Retrieve Embedded Sensitive Data. This issue affects Widget Options: from n/a through 4.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2024-35690
EUVD
EUVD-2024-55636
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack widget_options From 4.0.0 (inc) to 4.0.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthorized access to sensitive information that is normally restricted, which can lead to exposure of personal or confidential data.

Such exposure of sensitive data can result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive information from unauthorized access.

Therefore, if exploited, this vulnerability could cause organizations using the affected plugin to violate these standards, potentially leading to legal and financial consequences.

Executive Summary

The vulnerability in the WordPress Widget Options Plugin (versions 4.0.1 and below) is a sensitive data exposure flaw. It allows attackers to retrieve embedded sensitive information that should normally be restricted from regular users. This means unauthorized users can access sensitive data through the plugin due to broken access control.

This issue is classified under OWASP Top 10's A1: Broken Access Control and has a CVSS severity score of 6.5, indicating a moderate level of risk.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information to attackers. Such exposure can enable further exploitation of system weaknesses, potentially compromising the security and privacy of your data.

Because the vulnerability allows attackers to view sensitive data, it increases the risk of data breaches and may lead to loss of trust, reputational damage, and potential financial consequences.

Detection Guidance

The vulnerability allows attackers to view sensitive information through the WordPress Widget Options Plugin versions 4.0.1 and below. Detection can involve monitoring for unusual access patterns or attempts to retrieve restricted user meta data.

While specific commands are not provided, general detection methods include checking web server logs for suspicious requests targeting the Widget Options plugin endpoints or using web application firewalls (WAF) with rules designed to detect attempts to exploit this vulnerability.

Patchstack has provided a mitigation rule to block attacks until the plugin is updated, which can also help in detecting exploitation attempts.

Mitigation Strategies

The immediate recommended step is to update the WordPress Widget Options Plugin to version 4.0.2 or later, where the vulnerability has been patched.

Until the update can be applied, users should implement the mitigation rule provided by Patchstack to block attacks targeting this vulnerability.

Additionally, users may seek assistance from their hosting provider or developer to ensure proper application of the patch and mitigation measures.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-35690. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart