CVE-2025-49300 LOW

CVE-2025-49300: WordPress Traveler Option Tree plugin <= 2.8 - Sensitive Data Exposure vulnerability

Vendor Shinetheme
Product Traveler Option Tree
Weakness CWE-201
Published December 16, 2025
Last update April 28, 2026

CVSS base score

2.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Insertion of Sensitive Information Into Sent Data vulnerability in shinetheme Traveler Option Tree custom-option-tree allows Retrieve Embedded Sensitive Data.This issue affects Traveler Option Tree: from n/a through <= 2.8.

Explanation of Vulnerability in Simple Terms

02Summary

Traveler Option Tree versions 2.8 and earlier contain an information disclosure vulnerability. An authenticated administrator can read sensitive data that should not be accessible to their privilege level. The vulnerability requires high-level administrative access and does not affect data integrity or availability. Update to a version newer than 2.8.

What an attacker can do

03Attacker Capabilities

Read sensitive information accessible only to higher-privilege administrators.

Potential impact on your site

04Site Impact

Administrators with restricted roles may access data beyond their intended permissions.

Conditions required to exploit

05Prerequisites

Attacker must have high-level administrative credentials on the site.

Key dates

06Disclosure timeline

December 16, 2025 CVE published
April 28, 2026 Record updated