{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39542", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:15.448Z", "datePublished": "2026-04-08T08:30:17.588Z", "dateUpdated": "2026-04-29T09:52:02.103Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "doofinder-for-woocommerce", "product": "Doofinder for WooCommerce", "vendor": "Doofinder", "versions": [{"changes": [{"at": "2.10.14", "status": "unaffected"}], "lessThanOrEqual": "2.10.13", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Que Thanh Tuan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:51.763Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in Doofinder Doofinder for WooCommerce doofinder-for-woocommerce allows Retrieve Embedded Sensitive Data.<p>This issue affects Doofinder for WooCommerce: from n/a through <= 2.10.13.</p>"}], "value": "Insertion of Sensitive Information Into Sent Data vulnerability in Doofinder Doofinder for WooCommerce doofinder-for-woocommerce allows Retrieve Embedded Sensitive Data.This issue affects Doofinder for WooCommerce: from n/a through <= 2.10.13."}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-201", "description": "Insertion of Sensitive Information Into Sent Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:02.103Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/doofinder-for-woocommerce/vulnerability/wordpress-doofinder-for-woocommerce-plugin-2-10-13-sensitive-data-exposure-vulnerability?_s_id=cve"}], "title": "WordPress Doofinder for WooCommerce plugin <= 2.10.13 - Sensitive Data Exposure vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T18:26:37.233188Z", "id": "CVE-2026-39542", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T18:27:54.277Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39542", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T18:26:37.233188Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T18:25:32.203Z"}}], "cna": {"title": "WordPress Doofinder for WooCommerce plugin <= 2.10.13 - Sensitive Data Exposure vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Que Thanh Tuan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Doofinder", "product": "Doofinder for WooCommerce", "versions": [{"status": "affected", "changes": [{"at": "2.10.14", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.10.13"}], "packageName": "doofinder-for-woocommerce", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:51.763Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/doofinder-for-woocommerce/vulnerability/wordpress-doofinder-for-woocommerce-plugin-2-10-13-sensitive-data-exposure-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in Doofinder Doofinder for WooCommerce doofinder-for-woocommerce allows Retrieve Embedded Sensitive Data.This issue affects Doofinder for WooCommerce: from n/a through <= 2.10.13.", "supportingMedia": [{"type": "text/html", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in Doofinder Doofinder for WooCommerce doofinder-for-woocommerce allows Retrieve Embedded Sensitive Data.<p>This issue affects Doofinder for WooCommerce: from n/a through <= 2.10.13.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-201", "description": "Insertion of Sensitive Information Into Sent Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:02.103Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39542", "state": "PUBLISHED", "dateUpdated": "2026-04-29T09:52:02.103Z", "dateReserved": "2026-04-07T10:48:15.448Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:17.588Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in Doofinder Doofinder for WooCommerce doofinder-for-woocommerce allows Retrieve Embedded Sensitive Data.This issue affects Doofinder for WooCommerce: from n/a through <= 2.10.13."}], "id": "CVE-2026-39542", "lastModified": "2026-04-24T18:07:25.343", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:26.790", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/doofinder-for-woocommerce/vulnerability/wordpress-doofinder-for-woocommerce-plugin-2-10-13-sensitive-data-exposure-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-201"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.10.13]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[2.10.14,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Doofinder for WooCommerce", "source": "cna", "vendor": "Doofinder"}, "product": "doofinder_for_woocommerce", "vendor": "doofinder"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-14T20:57:01.316102+00:00", "value": {"mitigation_remediation": ["Update the Doofinder for WooCommerce plugin to a version newer than 2.10.13.", "If an update is unavailable, consider disabling the plugin until a patch is released.", "Verify the plugin configuration to ensure it does not send sensitive data inadvertently.", "Monitor official Doofinder announcements or security advisories for patches."], "summary": {"action": "Apply Patch", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "The affected component is the Doofinder for WooCommerce plugin for WordPress, with all releases from the earliest available version through 2.10.13 vulnerable. Site operators who have not upgraded beyond the stated maximum version are at risk.", "description_and_impact": "The vulnerability is an insertion of sensitive information into data that is sent by the Doofinder for WooCommerce plugin. As a result, sensitive data that should not be transmitted can be retrieved. The weakness corresponds to CWE-201 and can potentially expose confidential user information, compromising confidentiality and potentially enabling further attacks against the website\u2019s users.", "risk_and_exploitability": "The CVSS base score of 5.3 places the vulnerability in the medium severity range. The EPSS score is below 1\u202f%, indicating a low probability of exploitation in the wild, and it is not listed in the CISA KEV catalog. Likely exploitation would come from web traffic that interacts with the plugin\u2019s checkout or search features, so the attack vector is probably network\u2011based. As no specific workaround is published, the primary defense is to apply the vendor update."}}}}, "created": "2026-04-08T19:30:21.528094+00:00", "updated": "2026-04-15T16:15:11.945092+00:00", "vendors": ["doofinder", "doofinder$PRODUCT$doofinder_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}