{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39542", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:15.448Z", "datePublished": "2026-04-08T08:30:17.588Z", "dateUpdated": "2026-04-08T08:30:17.588Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "doofinder-for-woocommerce", "product": "Doofinder for WooCommerce", "vendor": "Doofinder", "versions": [{"changes": [{"at": "2.10.14", "status": "unaffected"}], "lessThanOrEqual": "2.10.13", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Que Thanh Tuan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:51.763Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in Doofinder Doofinder for WooCommerce doofinder-for-woocommerce allows Retrieve Embedded Sensitive Data.<p>This issue affects Doofinder for WooCommerce: from n/a through <= 2.10.13.</p>"}], "value": "Insertion of Sensitive Information Into Sent Data vulnerability in Doofinder Doofinder for WooCommerce doofinder-for-woocommerce allows Retrieve Embedded Sensitive Data.This issue affects Doofinder for WooCommerce: from n/a through <= 2.10.13."}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-201", "description": "Insertion of Sensitive Information Into Sent Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:17.588Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/doofinder-for-woocommerce/vulnerability/wordpress-doofinder-for-woocommerce-plugin-2-10-13-sensitive-data-exposure-vulnerability?_s_id=cve"}], "title": "WordPress Doofinder for WooCommerce plugin <= 2.10.13 - Sensitive Data Exposure vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in Doofinder Doofinder for WooCommerce doofinder-for-woocommerce allows Retrieve Embedded Sensitive Data.This issue affects Doofinder for WooCommerce: from n/a through <= 2.10.13."}], "id": "CVE-2026-39542", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:26.790", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/doofinder-for-woocommerce/vulnerability/wordpress-doofinder-for-woocommerce-plugin-2-10-13-sensitive-data-exposure-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-201"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.10.13]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[2.10.14,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Doofinder for WooCommerce", "source": "cna", "vendor": "Doofinder"}, "product": "doofinder_for_woocommerce", "vendor": "doofinder"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:52:04.756937+00:00", "value": {"mitigation_remediation": ["Update the Doofinder for WooCommerce plugin to the latest version (v2.10.14 or newer).", "Verify that the plugin\u2019s logging mechanisms are disabled or configured to exclude sensitive data.", "If an upgrade cannot be performed immediately, consider disabling the plugin until a patched version is available."], "summary": {"action": "Immediate Patch", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "All WordPress sites running the Doofinder for WooCommerce plugin version 2.10.13 or earlier are affected. The issue applies to every installation of the plugin from its earliest release up through 2.10.13, regardless of WordPress version. The product is provided by Doofinder and is included in WordPress installations that use eCommerce capabilities.", "description_and_impact": "The vulnerability in the Doofinder for WooCommerce plugin allows the application to insert sensitive information into outgoing data. This data can be retrieved by an attacker who can trigger the plugin\u2019s request mechanisms, leading to the disclosure of confidential user data such as identifiers, credentials, or payment information. The primary consequence is a loss of confidentiality; there is no indication of integrity or availability impact.", "risk_and_exploitability": "No CVSS or EPSS score is publicly available for this vulnerability, and it is not listed in the CISA KEV catalog. Consequently, the precise exploitation risk cannot be quantified from the data provided. The likely attack vector is that an attacker can interact with the plugin\u2019s search or suggestion endpoints\u2014either unauthenticated or authenticated\u2014to cause the plugin to send sensitive data in its responses. Because no additional exploitation details are disclosed, it is inferred that the vulnerability may be exploitable but its exploitation complexity remains unknown."}}}}, "created": "2026-04-08T19:30:21.528094+00:00", "updated": "2026-04-08T19:42:37.861796+00:00", "vendors": ["doofinder", "doofinder$PRODUCT$doofinder_for_woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}