Unpatch Security Issue
-
This plugin has an active vulnerability that has been reported a month ago. Are there any plans to patch this issue or should we be looking to find an alternative postcode data provider?
-
Hi there
We have investigated the Patchstack report (CVE-2025-57923) and can provide immediate clarification:
The exposed Information is a public-facing API Key and is not a security risk.
We’ve clarified what the issue with Patchstack. We discovered the “sensitive data” exposed by the plugin is a public-facing API key used for our address lookup service. This key is not a secret credential and does not pose a vulnerability to your site.
This method of using a publicly viewable key for address lookup is standard practice for API usage. Similar services like Google Maps and Mapbox also rely on public API keys. These keys serve primarily to identify and meter usage (for billing and rate limiting), rather than act as a secret for protecting private data.
If this were a real CVE, we would *immediately* ship a fix and notify customers. However there is no way to fix this because it is working as designed.
Patchstack’s last email to us was sent 6th October 2025, wanting to clarify where we documented API keys were public. We responded the same day with documentation demonstrating the “sensitive data” was in fact a public-facing API key. We received no reply.
We have sent 5 emails between then and today (23 October) asking they either correct the CVE or explain why this qualifies as a vulnerability in light of the information we have provided. We have received no replies or even acknowledgement of these emails.
We will shortly be issuing a patch a breakdown of this CVE and Patchstack’s response to date. Given their lack of communication, we have also notified Patchstack’s CNA about this issue to resolve the CVE higher up.
You must be logged in to reply to this topic.
