{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39564", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:32.434Z", "datePublished": "2026-04-08T08:30:18.874Z", "dateUpdated": "2026-04-08T08:30:18.874Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "sunshine-photo-cart", "product": "Sunshine Photo Cart", "vendor": "sunshinephotocart", "versions": [{"changes": [{"at": "3.6.2", "status": "unaffected"}], "lessThanOrEqual": "3.6.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bao - BlueRock | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:53.495Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Retrieve Embedded Sensitive Data.<p>This issue affects Sunshine Photo Cart: from n/a through < 3.6.2.</p>"}], "value": "Insertion of Sensitive Information Into Sent Data vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Retrieve Embedded Sensitive Data.This issue affects Sunshine Photo Cart: from n/a through < 3.6.2."}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-201", "description": "Insertion of Sensitive Information Into Sent Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:18.874Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/sunshine-photo-cart/vulnerability/wordpress-sunshine-photo-cart-plugin-3-6-2-sensitive-data-exposure-vulnerability?_s_id=cve"}], "title": "WordPress Sunshine Photo Cart plugin < 3.6.2 - Sensitive Data Exposure vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Retrieve Embedded Sensitive Data.This issue affects Sunshine Photo Cart: from n/a through < 3.6.2."}], "id": "CVE-2026-39564", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:27.637", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/sunshine-photo-cart/vulnerability/wordpress-sunshine-photo-cart-plugin-3-6-2-sensitive-data-exposure-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-201"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.6.2)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "3.6.2"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Sunshine Photo Cart", "source": "cna", "vendor": "sunshinephotocart"}, "product": "sunshine_photo_cart", "vendor": "sunshinephotocart"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:37:39.288229+00:00", "value": {"mitigation_remediation": ["Apply the latest patch (v3.6.2 or newer) to Sunshine Photo Cart", "Verify that the plugin no longer exposes sensitive data following the update", "If an update is not possible immediately, deactivate the plugin until a patch is available", "Monitor site logs for attempts to retrieve sensitive data", "Check the plugin vendor\u2019s website for additional advisories"], "summary": {"action": "Patch Now", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "All WordPress sites that have Sunshine Photo Cart installed, up to and including version 3.6.1, are affected. The vulnerability applies regardless of other plugins or server configurations, affecting any site that uses the plugin\u2019s photo cart or booking features.", "description_and_impact": "The Sunshine Photo Cart plugin, versions before 3.6.2, has a flaw that allows insertion of sensitive information into data sent by the plugin. An attacker who can trigger the retrieval function can obtain data that should be kept confidential, such as personal details or transaction information. The weakness is classified as CWE\u2011201, which describes a situation where sensitive data is leaked in network traffic.", "risk_and_exploitability": "No CVSS or EPSS score is publicly available, and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is through the plugin\u2019s exposed endpoints or API, which could be accessed by an unauthenticated user depending on site configuration. As the flaw permits direct retrieval of sensitive data, the risk to confidentiality is high, especially for sites that store personal customer information. Organizations should consider the impact of potential data exposure when assessing threat posture."}}}}, "created": "2026-04-08T19:30:11.272243+00:00", "updated": "2026-04-08T19:42:31.000231+00:00", "vendors": ["sunshinephotocart", "sunshinephotocart$PRODUCT$sunshine_photo_cart", "wordpress", "wordpress$PRODUCT$wordpress"]}