Home

Description

The Tainacan plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.0 via uploaded files marked as private being exposed in wp-content without adequate protection. This makes it possible for unauthenticated attackers to extract potentially sensitive information from files that have been marked as private.

PUBLISHED Reserved 2025-11-05 | Published 2025-11-21 | Updated 2025-11-21 | Assigner Wordfence




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-552 Files or Directories Accessible to External Parties

Product status

Default status
unaffected

* (semver)
affected

Timeline

2025-11-05:Vendor Notified
2025-11-20:Disclosed

Credits

Peb finder

References

www.wordfence.com/...-a4dd-4135-8ed8-a6ff82a48e1f?source=cve

github.com/...8/src/classes/class-tainacan-private-files.php

github.com/tainacan/tainacan/compare/1.0.0...1.0.1

cve.org (CVE-2025-12747)

nvd.nist.gov (CVE-2025-12747)

Download JSON