CVE-2025-11997: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in ngothoai Document Pro Elementor – Documentation & Knowledge Base
The Document Pro Elementor – Documentation & Knowledge Base plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.9. This is due to the plugin exposing sensitive Algolia API keys through the frontend JavaScript code via wp_localize_script without proper access restrictions. This makes it possible for unauthenticated attackers to view sensitive API keys in the page source, which could be leveraged to make unauthorized API calls to the configured Algolia search service.
AI Analysis
Technical Summary
CVE-2025-11997 is an information exposure vulnerability in the Document Pro Elementor – Documentation & Knowledge Base WordPress plugin (versions up to 1.0.9). The plugin improperly exposes sensitive Algolia API keys through frontend JavaScript by using wp_localize_script without enforcing access controls. This exposure allows unauthenticated attackers to extract these keys from the page source and potentially abuse the Algolia API configured by the plugin. The vulnerability is rated medium severity with a CVSS score of 5.3 and is tracked under CWE-200.
Potential Impact
Exposure of Algolia API keys to unauthorized actors can lead to unauthorized API usage, which may result in data leakage or abuse of the Algolia search service associated with the affected plugin. There is no indication of direct impact on confidentiality, integrity, or availability of the WordPress site itself, but the exposed keys could be misused externally. No known exploits are reported in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid exposing sensitive API keys in frontend code or consider removing or disabling the affected plugin version. Monitoring for updates from the vendor or plugin author is recommended to apply an official fix once released.
CVE-2025-11997: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in ngothoai Document Pro Elementor – Documentation & Knowledge Base
Description
The Document Pro Elementor – Documentation & Knowledge Base plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.9. This is due to the plugin exposing sensitive Algolia API keys through the frontend JavaScript code via wp_localize_script without proper access restrictions. This makes it possible for unauthenticated attackers to view sensitive API keys in the page source, which could be leveraged to make unauthorized API calls to the configured Algolia search service.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-11997 is an information exposure vulnerability in the Document Pro Elementor – Documentation & Knowledge Base WordPress plugin (versions up to 1.0.9). The plugin improperly exposes sensitive Algolia API keys through frontend JavaScript by using wp_localize_script without enforcing access controls. This exposure allows unauthenticated attackers to extract these keys from the page source and potentially abuse the Algolia API configured by the plugin. The vulnerability is rated medium severity with a CVSS score of 5.3 and is tracked under CWE-200.
Potential Impact
Exposure of Algolia API keys to unauthorized actors can lead to unauthorized API usage, which may result in data leakage or abuse of the Algolia search service associated with the affected plugin. There is no indication of direct impact on confidentiality, integrity, or availability of the WordPress site itself, but the exposed keys could be misused externally. No known exploits are reported in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid exposing sensitive API keys in frontend code or consider removing or disabling the affected plugin version. Monitoring for updates from the vendor or plugin author is recommended to apply an official fix once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-10-20T20:47:48.546Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6912b13014bc3e00ba783d32
Added to database: 11/11/2025, 3:44:48 AM
Last enriched: 4/9/2026, 4:01:40 PM
Last updated: 5/10/2026, 7:41:53 AM
Views: 285
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.