CVE-2025-12747

MEDIUM5.3

Tainacan <= 1.0.0 - Unauthenticated Information Exposure

Published Nov 21, 2025

Modified 1 months ago

No fix available

Details

The Tainacan plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.0 via uploaded files marked as private being exposed in wp-content without adequate protection. This makes it possible for unauthenticated attackers to extract potentially sensitive information from files that have been marked as private.

References

WEBhttps://github.com/tainacan/tainacan/blob/2491612ee9d5b14baa70862ba2308ee925de0938/src/classes/class-tainacan-private-files.php WEBhttps://github.com/tainacan/tainacan/compare/1.0.0...1.0.1 ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2025-12747 WEBhttps://www.wordfence.com/threat-intel/vulnerabilities/id/c64869f0-a4dd-4135-8ed8-a6ff82a48e1f?source=cve

CVSS Analysis

CVSS v3.1

5.3

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

LowC:L

Integrity

NoneI:N

Availability

NoneA:N

5.3/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Weakness Type (CWE)

Other

CWE-552

Ecosystems

Timeline

PublishedNov 21, 2025

ModifiedNov 21, 2025