{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39572", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:32.434Z", "datePublished": "2026-04-08T08:30:20.629Z", "dateUpdated": "2026-04-08T08:30:20.629Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "bus-ticket-booking-with-seat-reservation", "product": "Bus Ticket Booking with Seat Reservation", "vendor": "magepeopleteam", "versions": [{"changes": [{"at": "5.6.5", "status": "unaffected"}], "lessThanOrEqual": "5.6.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:53.604Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in magepeopleteam Bus Ticket Booking with Seat Reservation bus-ticket-booking-with-seat-reservation allows Retrieve Embedded Sensitive Data.<p>This issue affects Bus Ticket Booking with Seat Reservation: from n/a through < 5.6.5.</p>"}], "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in magepeopleteam Bus Ticket Booking with Seat Reservation bus-ticket-booking-with-seat-reservation allows Retrieve Embedded Sensitive Data.This issue affects Bus Ticket Booking with Seat Reservation: from n/a through < 5.6.5."}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-497", "description": "Exposure of Sensitive System Information to an Unauthorized Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:20.629Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/bus-ticket-booking-with-seat-reservation/vulnerability/wordpress-bus-ticket-booking-with-seat-reservation-plugin-5-6-5-sensitive-data-exposure-vulnerability?_s_id=cve"}], "title": "WordPress Bus Ticket Booking with Seat Reservation plugin < 5.6.5 - Sensitive Data Exposure vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in magepeopleteam Bus Ticket Booking with Seat Reservation bus-ticket-booking-with-seat-reservation allows Retrieve Embedded Sensitive Data.This issue affects Bus Ticket Booking with Seat Reservation: from n/a through < 5.6.5."}], "id": "CVE-2026-39572", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:28.497", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/bus-ticket-booking-with-seat-reservation/vulnerability/wordpress-bus-ticket-booking-with-seat-reservation-plugin-5-6-5-sensitive-data-exposure-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-497"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.6.5]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "matching"}]}, "original": {"product": "Bus Ticket Booking with Seat Reservation", "source": "cna", "vendor": "magepeopleteam"}, "product": "bus_ticket_booking_with_seat_reservation", "vendor": "mage-people"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:47:56.951741+00:00", "value": {"mitigation_remediation": ["Update the Bus Ticket Booking with Seat Reservation plugin to version 5.6.5 or later. ", "Verify that the applied update removes the data exposure functionality. ", "If an upgrade is not possible, temporarily disable the plugin until a patch is available. ", "Restrict administrative access to the plugin\u2019s settings pages to trusted users only. ", "Regularly review system logs for any unauthorized data access attempts."], "summary": {"action": "Immediate Patch", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "The affected product is the Bus Ticket Booking with Seat Reservation plugin developed by magepeopleteam. Versions from the earliest available up to but not including 5.6.5 are vulnerable. Only these earlier releases are impacted; any release equal to or newer than 5.6.5 is exempt.", "description_and_impact": "This vulnerability allows the fairly broad disclosure of sensitive system information. An unauthorized party can retrieve embedded sensitive data from the Bus Ticket Booking with Seat Reservation plugin. The weakness is a data\u2011exposure flaw classified as CWE\u2011497. The impact is that personal or administrative information handled by the plugin may become accessible to users who should not have such access, compromising confidentiality.", "risk_and_exploitability": "No CVSS score was provided in the available data, so the exact severity cannot be quantified. The EPSS score is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog, implying that large\u2011scale known exploitation has not been observed. Based on the description, the likely attack vector is remote via the web interface, where an unauthenticated or minimally privileged user could trigger the data retrieval. Because the code path permits access to system data, any successful exploitation would expose confidential data to the attacker."}}}}, "created": "2026-04-08T19:42:23.803647+00:00", "updated": "2026-04-09T08:22:09.879163+00:00", "vendors": ["mage-people", "mage-people$PRODUCT$bus_ticket_booking_with_seat_reservation", "wordpress", "wordpress$PRODUCT$wordpress"]}