Home

Description

An Insertion of Sensitive Information into Sent Data vulnerability in the Ideal Postcodes UK Address Postcode Validation WordPress plugin exposes the API key, allowing unauthorized third parties to retrieve and reuse the key across any domain. Since API keys are unrestricted by default, with the “Allowed URLs” field left empty upon creation of API key this can lead to unauthorized use and depletion of API credits.Note: the vulnerability is assessed based on the default configuration.This issue affects UK Address Postcode Validation: from n/a through 3.9.2.

PUBLISHED Reserved 2025-08-22 | Published 2025-09-22 | Updated 2025-10-28 | Assigner Patchstack




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-201 Insertion of Sensitive Information Into Sent Data

Product status

Default status
unaffected

Any version
affected

Timeline

2025-08-19:Vendor was notified about the vulnerability.
2025-09-22:Database entry and CVE published (no patched version, no reply from the vendor)
2025-09-29:Vendor contacted back to ask for additional details
2025-10-03:Vendor claims there's no issue, refuses to patch (hide API key from public access)
2025-10-24:Patch released

Credits

Nabil Irawan (Patchstack Bug Bounty Program) finder

Christopher Blanchard remediation developer

References

patchstack.com/...tive-data-exposure-vulnerability?_s_id=cve vdb-entry

cve.org (CVE-2025-57923)

nvd.nist.gov (CVE-2025-57923)

Download JSON