CVE-2025-4390 MEDIUM

CVE-2025-4390: WP Private Content Plus <= 3.6.2 - Unauthenticated Sensitive Information Exposure

Vendor Nimeshrmr

Product WP Private Content Plus

Weakness CWE-200 · Info exposure

Published August 12, 2025

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The WP Private Content Plus plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.2 via the 'validate_restrictions' function. This makes it possible for unauthenticated attackers to extract sensitive data including the content of resticted posts on archive and feed pages.

Key dates

02Disclosure timeline

August 12, 2025 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-4390

Related vulnerabilities

04Related CVE

CVE-2023-27265 Disclosure of team owner email address when regenerating Invite ID CVE-2023-43123 Apache Storm: Local Information Disclosure Vulnerability in Storm-core on Unix-Like systems due temporary files CVE-2026-40166 authentik: Non-admin user can retrieve confidential OAuth client_secret via /api/v3/oauth2/access_tokens/ CVE-2024-47080 matrix-js-sdk keys sent via `sendSharedHistoryKeys` vulnerable to interception by malicious homeserver CVE-2020-3362 Cisco Network Services Orchestrator Information Disclosure Vulnerability