CVE-2025-2840: 
WordPress vulnerability analysis and mitigation

The DAP to Autoresponders Email Syncing plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 1.0. The vulnerability was discovered and disclosed on March 29, 2025, and affects the plugin through a publicly accessible phpinfo.php script. This security issue has been assigned CVE-2025-2840 and has been marked for NVD enrichment efforts (NVD).

The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). It has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability exists in the publicly accessible phpinfo.php script within the plugin's infusionsoft_src directory, which can expose sensitive server configuration information (Wordfence).

The vulnerability allows unauthenticated attackers to view potentially sensitive information contained in the exposed phpinfo.php file. This information could include server configuration details, installed modules, and other system information that could be valuable for planning further attacks (NVD).

The plugin has been temporarily closed as of March 27, 2025, pending a full security review. Users are advised to remove or disable the plugin until a security patch is available (WordPress Plugin).