{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39571", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:32.434Z", "datePublished": "2026-04-08T08:30:20.418Z", "dateUpdated": "2026-04-08T08:30:20.418Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "instantio", "product": "Instantio", "vendor": "Themefic", "versions": [{"changes": [{"at": "3.3.31", "status": "unaffected"}], "lessThanOrEqual": "3.3.30", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Que Thanh Tuan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:57.198Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Themefic Instantio instantio allows Retrieve Embedded Sensitive Data.<p>This issue affects Instantio: from n/a through <= 3.3.30.</p>"}], "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Themefic Instantio instantio allows Retrieve Embedded Sensitive Data.This issue affects Instantio: from n/a through <= 3.3.30."}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-497", "description": "Exposure of Sensitive System Information to an Unauthorized Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:20.418Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/instantio/vulnerability/wordpress-instantio-plugin-3-3-30-sensitive-data-exposure-vulnerability?_s_id=cve"}], "title": "WordPress Instantio plugin <= 3.3.30 - Sensitive Data Exposure vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Themefic Instantio instantio allows Retrieve Embedded Sensitive Data.This issue affects Instantio: from n/a through <= 3.3.30."}], "id": "CVE-2026-39571", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:28.360", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/instantio/vulnerability/wordpress-instantio-plugin-3-3-30-sensitive-data-exposure-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-497"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.3.30]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[3.3.31,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Instantio", "source": "cna", "vendor": "Themefic"}, "product": "instantio", "vendor": "themefic"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:48:24.824539+00:00", "value": {"mitigation_remediation": ["Update Instantio plugin to the latest version (>=3.3.31).", "If an update cannot be applied immediately, block unauthenticated access to the plugin\u2019s data retrieval endpoint through web\u2011server rules or firewall policies, or disable the plugin entirely.", "Verify that no sensitive system information remains exposed by scanning the site with vulnerability assessment tools after remediation."], "summary": {"action": "Update Plugin", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "This flaw affects instances of Themefic:Instantio up to and including version 3.3.30. All installations running 3.3.30 or earlier are vulnerable. The plugin does not provide an authentication check for the data retrieval functionality, which explains why any visitor can trigger the information dump.", "description_and_impact": "The vulnerability permits the exposure of sensitive system information to an unauthorized control sphere. An attacker can retrieve embedded sensitive data from the WordPress Instantio plugin. The weakness, identified as CWE-497, allows unauthenticated users to access information that should be restricted, potentially revealing configuration details, internal paths, or other privileged data.", "risk_and_exploitability": "Because the plugin lacks input validation and authentication, exploitation is straightforward, relying on a simple HTTP request. The CVSS score is not supplied, and the absence of an EPSS score and the KEV catalog listing suggest a moderate exploitation likelihood. Nevertheless, the exposure of sensitive information carries a high impact to confidentiality if the plugin is publicly accessible."}}}}, "created": "2026-04-08T19:30:04.082589+00:00", "updated": "2026-04-08T19:42:25.273231+00:00", "vendors": ["themefic", "themefic$PRODUCT$instantio", "wordpress", "wordpress$PRODUCT$wordpress"]}