What the vulnerability does
01Description
Insertion of Sensitive Information Into Sent Data vulnerability in shinetheme Traveler Option Tree custom-option-tree allows Retrieve Embedded Sensitive Data.This issue affects Traveler Option Tree: from n/a through <= 2.8.
Explanation of Vulnerability in Simple Terms
02Summary
Traveler Option Tree versions 2.8 and earlier contain an information disclosure vulnerability. An authenticated administrator can read sensitive data that should not be accessible to their privilege level. The vulnerability requires high-level administrative access and does not affect data integrity or availability. Update to a version newer than 2.8.
What an attacker can do
03Attacker Capabilities
Read sensitive information accessible only to higher-privilege administrators.
Potential impact on your site
04Site Impact
Administrators with restricted roles may access data beyond their intended permissions.
Conditions required to exploit
05Prerequisites
Attacker must have high-level administrative credentials on the site.
Key dates
06Disclosure timeline
December 16, 2025
CVE published
April 28, 2026
Record updated