CVE-2025-22303: 
WordPress vulnerability analysis and mitigation

The WP Mailster WordPress plugin contains a Sensitive Information Exposure vulnerability (CVE-2025-22303) discovered by Dhabaleshwar Das. This vulnerability affects all versions of WP Mailster up to and including 1.8.17.0, allowing unauthenticated attackers to extract sensitive user or configuration data (WPScan, Patchstack).

The vulnerability is classified as CWE-201 (Insertion of Sensitive Information Into Sent Data). It has received varying CVSS scores, with the NVD assigning a HIGH severity score of 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), while Patchstack rates it as MEDIUM severity with a score of 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). The vulnerability requires no authentication to exploit and has network-based attack vectors (NVD).

This vulnerability could allow malicious actors to view sensitive information that is normally not accessible to regular users. The exposed data could potentially be used to exploit other weaknesses in the system (Patchstack).

The vulnerability has been fixed in version 1.8.18.0 of the WP Mailster plugin. Users are advised to update to this version or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins (Patchstack).