Description
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in HashThemes Hash Elements allows Retrieve Embedded Sensitive Data.

This issue affects Hash Elements: from n/a through 1.5.4.
Published: 2026-06-12
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CVE refers to a flaw in the Hash Elements WordPress plugin that permits an unauthorized party to retrieve embedded sensitive data. The vulnerability is classified as CWE‑497 and can lead to exposure of confidential information when the plugin processes requests without proper access control. The reported CVSS score of 4.3 indicates a moderate risk for confidentiality impact, but the flaw does not grant code execution or denial of service.

Affected Systems

Affected products are the HashThemes Hash Elements plugin for WordPress, any installation using version 1.5.4 or earlier. The vendor has identified the flaw in all releases from the earliest available version up through 1.5.4.

Risk and Exploitability

The fact that the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog suggests that there is currently no widespread or actively exploited instance of this flaw. The likely attack vector is via an exposed plugin endpoint or function that returns sensitive data to any user with access to the site’s frontend or backend. An attacker would need to discover the relevant URI and trigger the plugin’s data retrieval routine, which can then leak the embedded secrets. Given the moderate CVSS score, exploitation would primarily harm confidentiality without affecting availability or integrity.

Generated by OpenCVE AI on June 12, 2026 at 22:26 UTC.

Remediation

Vendor Solution

Update the WordPress Hash Elements Plugin to the latest available version (at least 1.5.5).

OpenCVE Recommended Actions

  • Update the Hash Elements plugin to version 1.5.5 or later.
  • If an immediate update is not possible, disable the Hash Elements plugin or remove its files from the WordPress installation until a patch can be applied.
  • Limit access to the WordPress admin area and ensure that non‑admin users cannot trigger the plugin’s data retrieval functions.

Generated by OpenCVE AI on June 12, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Hashthemes
Hashthemes hash Elements
Wordpress
Wordpress wordpress
Vendors & Products Hashthemes
Hashthemes hash Elements
Wordpress
Wordpress wordpress

Fri, 12 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in HashThemes Hash Elements allows Retrieve Embedded Sensitive Data. This issue affects Hash Elements: from n/a through 1.5.4.
Title WordPress Hash Elements plugin <= 1.5.4 - Sensitive Data Exposure vulnerability
Weaknesses CWE-497
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Hashthemes Hash Elements
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-12T20:46:18.717Z

Reserved: 2026-01-23T12:32:24.372Z

Link: CVE-2026-24618

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T21:16:21.153

Modified: 2026-06-12T21:16:21.153

Link: CVE-2026-24618

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T22:30:08Z

Weaknesses
  • CWE-497

    Exposure of Sensitive System Information to an Unauthorized Control Sphere