Description
Unauthenticated Sensitive Data Exposure in EmbedPress <= 4.5.2 versions.
Published: 2026-06-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows unauthenticated exposure of sensitive data within the EmbedPress plugin for WordPress versions 4.5.2 and earlier, potentially enabling attackers to retrieve confidential information without needing credentials. The flaw is classified as CWE‑639, indicating missing or misapplied access control. Because the plugin does not enforce authentication, the data exposed could include user data, configuration settings, or other private content managed by the plugin.

Affected Systems

Affected systems include websites that have installed WPDeveloper’s EmbedPress plugin through version 4.5.2 or any earlier release. The fix is the official update to version 4.5.3 or later, which removes the unauthenticated data exposure. Sites using any version preceding 4.5.3 should apply the patch immediately or remove the plugin if it is not required.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity risk, while the EPSS score of < 1 % suggests a low likelihood of exploitation in the wild at present. The vulnerability is listed as not in the CISA KEV catalog, meaning no known public exploits have been documented. Based on the description it is inferred that the attack vector is remote via the web interface, with no authentication required, so any Internet‑exposed server running an affected plugin version is potentially vulnerable.

Generated by OpenCVE AI on June 16, 2026 at 20:29 UTC.

Remediation

Vendor Solution

Update the WordPress EmbedPress Plugin to the latest available version (at least 4.5.3).

OpenCVE Recommended Actions

  • Update the EmbedPress plugin to version 4.5.3 or later
  • Verify that no older plugin versions remain installed on the WordPress site
  • Remove or disable the EmbedPress plugin if it is not required

Generated by OpenCVE AI on June 16, 2026 at 20:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpdeveloper
Wpdeveloper embedpress
Vendors & Products Wordpress
Wordpress wordpress
Wpdeveloper
Wpdeveloper embedpress

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Sensitive Data Exposure in EmbedPress <= 4.5.2 versions.
Title WordPress EmbedPress plugin <= 4.5.2 - Sensitive Data Exposure vulnerability
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
Wpdeveloper Embedpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T13:43:23.879Z

Reserved: 2026-05-25T22:10:00.865Z

Link: CVE-2026-48872

cve-icon Vulnrichment

Updated: 2026-06-16T13:43:10.443Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:16.670

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-48872

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T20:30:03Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key