Exploits

Atarim WordPress Plugin Leaks License Keys and User Data

Published  ·  4 min read

Atarim WordPress Plugin

There exists a security vulnerability in the Atarim plug-in which exposes attackers to steal sensitive data without going through any kind of authentication process. 

This flaw is present in versions prior to 4.2.2, and it was uncovered by security researcher Mohammad Hossein Sadeghian, who released an exploit for the same.

This particular security vulnerability has the ID of CVE-2025-60188 and is present in the REST API and AJAX functions of the plugin. By exploiting this vulnerability, it becomes possible for an attacker who has no credentials at all to steal the unique identifier of the site and generate HMAC signatures.

Vulnerability Overview

The attack starts with making a request to the plugin's REST API interface. There is no requirement for any form of authorization to receive the internal ID of the website from this interface. This is done by including a parameter that will be used in generating the HMAC signature.

After getting the site ID, the attacker can generate HMAC-SHA256 signatures using the ID as the key and a reference string as the message. These generated signatures will be accepted by the plugin as valid authorization for various administrative functions.

This is a typical case of insecure direct object referencing together with weak key management. The ID of the site acts as a private key as well as a public key since all that an attacker needs to do to get the "secret" key is to ask the API.

What Information Is Exposed

With the HMAC signature in hand, an attacker can access multiple plugin endpoints. 

The first endpoint returns the following:

  • Complete URL of the site
  • Name of the site
  • The plugin’s license key
  • All the plugin’s internal settings

Of all the above pieces of information, the license key poses a great risk. There are numerous commercial plugins that rely on license keys for upgrades and support. A hacker in possession of a valid license key could possibly download the plugin or even masquerade as the site owner.

The second vulnerable endpoint reveals the entire list of all the users who are registered on the website. 

The information collected is as follows:

  • User ID
  • Role
  • Username
  • Email address
  • First Name and Last Name
  • Metadata for each user.

This information is especially important when it comes to administrator accounts. It allows the hacker to launch more efficient phishing campaigns and credential stuffing attack.

The Risks

The Atarim WordPress plugin vulnerable to sensitive data exposure poses many threats. The license key can either be reused or resold in the underground market. Information about the complete list of users along with their roles gives the attacker an idea about the website structure. Administrator users become the main targets for more attacks.

This security weakness doesn’t need any user action and is not dependent on any previous authentication. An attacker just needs to make two HTTP requests to get the required information.

Protecting Your Site

The vulnerability has been fixed in Atarim plugin version 4.2.2. Immediate upgrade is necessary for website owners.

In cases where immediate upgrading is not possible, you could consider disabling the plugin or limiting access to the REST and AJAX API endpoints. The web application firewall can be set up to block the exploitation patterns.

The Bottom Line

The Atarim WordPress plugin sensitive data exposure vulnerability is a critical security vulnerability, which exposes license keys, PII of users, and other configurations. The exploit is very easy and does not require any kind of authentication.

Immediately upgrade to 4.2.2. Look for any traces of hacking on your site. And treat your license keys as sensitive credentials.

FAQ Section

What is Atarim WordPress Plugin Vulnerability?

Atarim is an information leakage vulnerability on versions below 4.2.2 where an attacker can retrieve license keys, user data, and configuration of the system.

Who discovered the vulnerability?

Mohammad Hossein Sadeghian discovered and disclosed the vulnerability.

How does the attack happen?

The attacker sends requests to the REST API endpoint in order to get the site id. The attacker uses the site id as the HMAC secret in order to forge a signature for a secured endpoint that gives out sensitive data.

What information is disclosed?

License keys, website URL, website name, plugin configuration, IDs, user roles, usernames, email addresses, first name and last name.

What version is affected?

The Atarim WordPress plugin versions less than 4.2.2 are at risk. The flaw is fixed in version 4.2.2.

What should I do if I am using this plugin?

It is highly recommended that you upgrade to version 4.2.2 now.Monitor your site for unauthorized access.

Source: Exploit DB
Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067