The KiotViet Sync plugin for WordPress contains a Sensitive Information Exposure vulnerability (CWE-200) in all versions up to and including 1.8.5. The issue arises from the register_api_route() function in kiotvietsync/includes/public_actions/WebHookAction.php, which improperly exposes the webhook token to unauthenticated users. This vulnerability has a CVSS 3.1 base score of 5.3, indicating a medium severity level. No known exploits are reported in the wild, and no patch or vendor advisory has been provided yet.

An unauthenticated attacker can extract the webhook token value, which is sensitive information used for authenticating webhook requests. Exposure of this token could allow attackers to impersonate legitimate webhook calls, potentially leading to unauthorized actions or data manipulation in systems integrated with the plugin. However, the vulnerability does not affect integrity or availability directly, and no known active exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider restricting access to the affected API routes or disabling the webhook functionality if feasible. Monitor for updates from the vendor regarding patches or official mitigations.