The vulnerability identified as CVE-2025-12677 affects the KiotViet Sync plugin for WordPress, specifically all versions up to and including 1.8.5. The issue lies within the register_api_route() function located in kiotvietsync/includes/public_actions/WebHookAction.php, which improperly exposes sensitive information. This flaw allows unauthenticated attackers to retrieve the webhook token value configured in the plugin. Webhook tokens are critical secrets used to authenticate and validate webhook requests between systems, and their exposure can lead to unauthorized actions or data exfiltration through forged webhook calls. The vulnerability is classified under CWE-200, indicating exposure of sensitive information to unauthorized actors. The CVSS v3.1 base score is 5.3, with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, meaning the attack can be performed remotely without privileges or user interaction, and the impact is limited to confidentiality loss without affecting integrity or availability. No patches or known exploits are currently available, but the risk remains due to the sensitive nature of the token. The vulnerability affects all plugin versions, suggesting a systemic design flaw in the API route's access control or data handling. Organizations using this plugin in WordPress environments should be aware of the risk of token leakage, which could facilitate further attacks or unauthorized access to integrated systems relying on these webhooks.

For European organizations, the exposure of webhook tokens can lead to unauthorized access to backend systems or services integrated via these webhooks. While the vulnerability does not directly compromise data integrity or system availability, the leaked tokens could be used to impersonate legitimate webhook requests, potentially triggering unauthorized operations such as data modification, order processing, or system configuration changes. This risk is particularly significant for e-commerce businesses or service providers relying on KiotViet Sync for inventory or order synchronization. The confidentiality breach could also lead to compliance issues under GDPR if personal data is indirectly exposed or manipulated through unauthorized webhook calls. The medium severity rating reflects that while the immediate impact is limited, the potential for chained attacks or data leakage exists. Organizations with high dependency on WordPress plugins for business-critical operations are at greater risk. Additionally, the lack of authentication or user interaction requirements lowers the barrier for exploitation, increasing the threat surface.

To mitigate this vulnerability, organizations should immediately review and restrict access to the vulnerable API route in the KiotViet Sync plugin. Implementing IP whitelisting or authentication mechanisms for API endpoints can prevent unauthorized token extraction. Monitoring web server logs for unusual access patterns to the register_api_route() endpoint is advisable to detect potential exploitation attempts. Until an official patch is released, consider disabling the KiotViet Sync plugin if feasible or isolating the WordPress instance from public access. Additionally, rotate any exposed webhook tokens to invalidate compromised credentials. Organizations should also ensure that their WordPress installations and plugins are regularly updated and subscribe to vendor security advisories for timely patch application. Employing Web Application Firewalls (WAFs) with custom rules to block suspicious API requests targeting this plugin can provide an additional layer of defense.