Description
Unauthenticated Sensitive Data Exposure in EmbedPress <= 4.5.2 versions.
Published: 2026-06-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in WordPress EmbedPress versions 4.5.2 and earlier permits unauthenticated exposure of sensitive data stored or displayed by the plugin. Because the plugin does not enforce authentication for its data endpoints, an attacker can retrieve confidential information such as configuration settings, embedded content details, or other private content managed by the plugin. This flaw is identified as CWE‑639, indicating a missing or improperly applied access control mechanism.

Affected Systems

Websites that have installed WPDeveloper’s EmbedPress plugin version 4.5.2 or any earlier release are affected. The issue is limited to the plugin itself and does not extend to core WordPress functionality. Sites must update to version 4.5.3 or later to remove the unauthenticated data exposure.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity risk, while the EPSS score of < 1 % suggests that exploitation is currently unlikely in the wild. The vulnerability is not listed in the CISA KEV catalog, implying no publicly documented exploits have been observed. Based on the description, it is inferred that the attack vector is remote via the web interface, with no authentication required, allowing any Internet‑exposed server running an affected plugin version to be potentially impacted.

Generated by OpenCVE AI on June 18, 2026 at 03:21 UTC.

Remediation

Vendor Solution

Update the WordPress EmbedPress Plugin to the latest available version (at least 4.5.3).


OpenCVE Recommended Actions

  • Update the EmbedPress plugin to version 4.5.3 or later
  • If the plugin is not required, uninstall it completely from the WordPress installation
  • Restrict access to the plugin’s data endpoints by requiring authentication or applying network‑level controls

Generated by OpenCVE AI on June 18, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpdeveloper
Wpdeveloper embedpress
Vendors & Products Wordpress
Wordpress wordpress
Wpdeveloper
Wpdeveloper embedpress

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Sensitive Data Exposure in EmbedPress <= 4.5.2 versions.
Title WordPress EmbedPress plugin <= 4.5.2 - Sensitive Data Exposure vulnerability
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

Wordpress Wordpress
Wpdeveloper Embedpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T13:43:23.879Z

Reserved: 2026-05-25T22:10:00.865Z

Link: CVE-2026-48872

cve-icon Vulnrichment

Updated: 2026-06-16T13:43:10.443Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:16.670

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-48872

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T03:30:16Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key