CVE-2025-24567: 
WordPress vulnerability analysis and mitigation

The WP Mailster WordPress plugin, versions up to and including 1.8.16.0, contains a Sensitive Data Exposure vulnerability. This vulnerability was discovered and reported by Mika on November 7, 2024, and was publicly disclosed on December 7, 2024. The issue has been assigned CVE-2025-24567 and affects the plugin's data handling mechanisms (Patchstack).

The vulnerability is classified as an Insertion of Sensitive Information Into Sent Data vulnerability (CWE-201). It has been assigned a CVSS v3.1 score of 6.5 (MEDIUM) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability requires a low privilege level (Subscriber) to exploit and does not require user interaction (NVD).

The vulnerability allows attackers to retrieve embedded sensitive data that is normally not accessible to regular users. This exposure of sensitive information could potentially be leveraged to exploit other weaknesses in the system (Patchstack).

The vulnerability has been fixed in version 1.8.17.0 of the WP Mailster plugin. Users are advised to update to this version or later immediately. For users unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until the update can be performed (Patchstack).