CVE-2025-2942: 
WordPress vulnerability analysis and mitigation

The Order Delivery Date WordPress plugin before version 12.6.0 contains a vulnerability identified as CVE-2025-2942. This security flaw allows unauthenticated attackers to disclose arbitrary post titles, including those from draft and private posts, through an unauthenticated AJAX action (WPScan).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N. The flaw is classified as a Sensitive Data Disclosure vulnerability and is mapped to CWE-200. The issue specifically involves an unauthenticated AJAX action that can be exploited to retrieve post titles from non-public content (WPScan, NVD).

The vulnerability allows attackers to access and retrieve post titles from draft and private posts that should not be publicly accessible. This information disclosure could potentially reveal sensitive or confidential information contained within post titles (WPScan).

The vulnerability has been fixed in version 12.6.0 of the Order Delivery Date WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).