CVE-2025-31001

WordPress GTM Kit plugin <= 2.4.0 - Sensitive Data Exposure vulnerability

CVSS 7.5 HIGHEPSS 0.4%CWE-1295

In short

The GTM Kit WordPress plugin up to version 2.4.0 exposes sensitive information through debug messages that shouldn't be visible to users. This allows attackers to retrieve confidential data that could compromise your website's security.

Technical detail

The GTM Kit plugin (≤2.4.0) fails to properly restrict debug output, allowing unauthenticated or low-privileged attackers to access embedded sensitive data through debug messages. The vulnerability stems from insufficient information disclosure controls (CWE-1295), enabling data exfiltration without requiring code execution or elevated privileges.

Summary generated and translated by AI from the official description.

Debug Messages Revealing Unnecessary Information vulnerability in TLA Media GTM Kit gtm-kit allows Retrieve Embedded Sensitive Data.This issue affects GTM Kit: from n/a through <= 2.4.0.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

TLA Media · GTM Kit

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://patchstack.com/database/Wordpress/Plugin/gtm-kit/vulnerability/wordpress-gtm-kit-plugin-2-3-1-sensitive-data-exposure-vulnerability?_s_id=cve