Description
The Tainacan plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.0 via uploaded files marked as private being exposed in wp-content without adequate protection. This makes it possible for unauthenticated attackers to extract potentially sensitive information from files that have been marked as private.
Scores
CVSS v3
5.3
EPSS
0.0006
EPSS Percentile
19.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-552
Status
published
Products (1)
tainacan/Tainacan
< 1.0.0
Published
Nov 21, 2025
Tracked Since
Feb 18, 2026