Security Alert Summary
The GetResponse Email marketing for WordPress by GetResponse Official plugin (up to and including version 1.5.3) contains a vulnerability that can expose embedded sensitive system information to an unauthorized actor. The issue allows retrieval of sensitive data from the plugin, as described in the CVE entry.
CVE Details
- CVE ID: CVE-2025-64272
- Affected plugin / component: GetResponse Email marketing for WordPress by GetResponse Official
- Affected versions: from n/a through <= 1.5.3 (fixed version not specified in the CVE entry)
- Published: December 18, 2025 at 8:16 AM UTC
- Last modified: December 18, 2025 at 3:07 PM UTC
- CVSS v3.1 base score / severity / vector: Not specified in the CVE entry
- Authentication / privileges / user interaction: Not specified in the CVE entry
- Primary impact:
- Confidentiality: Exposure of sensitive system information (specified)
- Integrity: Not specified
- Availability: Not specified
- CWE / weakness ID: CWE-497 (Exposure of Sensitive Information)
Technical Details
The CVE description indicates the plugin “allows Retrieve Embedded Sensitive Data,” resulting in exposure of sensitive system information to an unauthorized control sphere. In other words, the plugin provides a mechanism by which embedded sensitive data can be obtained when it should not be accessible. The entry does not name specific functions, REST API endpoints, or code paths.
Because the CVE description does not include implementation details, the most that can be stated from the provided information is that data-handling or access-control checks are insufficient or missing for the affected functionality, allowing retrieval of embedded sensitive data. The direct impact described is disclosure of sensitive system information; the CVE does not assert additional behaviours such as remote code execution or privilege escalation.
How This Could Impact Your Website
Consider a site running the affected plugin where multiple people have different roles: a site owner, internal staff who manage content, and an external contractor who assists with marketing. If the plugin exposes embedded sensitive system information to unauthorized parties, internal details such as configuration snippets, API keys, or internal identifiers could be revealed.
Realistic consequences include exposure of internal email addresses or other information that could be used to craft targeted phishing or social engineering attacks against staff or contractors. While the CVE describes an information exposure issue, it does not indicate that attackers can change site content or take the site offline; the primary concern documented is confidentiality of sensitive data.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available (the CVE does not specify a fixed version).
- Review and reduce unnecessary user roles, especially contributor-level and external accounts.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins.
- Monitor site activity and logs for unusual behavior or unexpected access to plugin endpoints.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
