Description
Subscriber Sensitive Data Exposure in Visual Link Preview <= 2.4.1 versions.
Published: 2026-06-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Visual Link Preview plugin, a WordPress add‑on, contains a flaw that causes subscriber information to be exposed in the plugin’s responses. The vulnerability permits an attacker who manages to trigger the plugin to retrieve sensitive subscriber data, thereby compromising the confidentiality of users who have subscribed to a site. The weakness corresponds to CWE‑497, a data protection issue.

Affected Systems

Bootstrapped Ventures Visual Link Preview plugin versions up to and including 2.4.1 are affected. WordPress sites running any of these versions may inadvertently expose subscriber data through the plugin. Site administrators should verify the installed plugin version and ensure it is not older than 2.4.1.

Risk and Exploitability

The CVSS base score of 6.5 indicates a moderate risk, and the EPSS score of less than 1 % indicates that exploitation is considered unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers could potentially exploit this by sending crafted requests to the plugin’s API endpoint, either while authenticated on the site or, if the plugin is publicly exposed, via unauthenticated requests. Because the flaw leads to data leakage rather than code execution, the primary concern is confidential data disclosure.

Generated by OpenCVE AI on June 18, 2026 at 00:37 UTC.

Remediation

Vendor Solution

Update the WordPress Visual Link Preview Plugin to the latest available version (at least 2.4.2).


OpenCVE Recommended Actions

  • Update the Visual Link Preview plugin to version 2.4.2 or later, as provided by Bootstrapped Ventures.
  • If the plugin is not essential to site functionality, consider disabling or uninstalling it to eliminate the exposure risk.
  • Restrict access to subscriber data by enabling role‑based permissions so that only administrators can view or export subscriber lists.

Generated by OpenCVE AI on June 18, 2026 at 00:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Bootstrapped
Bootstrapped visual Link Preview
Wordpress
Wordpress wordpress
Vendors & Products Bootstrapped
Bootstrapped visual Link Preview
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Subscriber Sensitive Data Exposure in Visual Link Preview <= 2.4.1 versions.
Title WordPress Visual Link Preview plugin <= 2.4.1 - Sensitive Data Exposure vulnerability
Weaknesses CWE-497
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

Bootstrapped Visual Link Preview
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T14:36:18.633Z

Reserved: 2026-05-25T22:10:13.824Z

Link: CVE-2026-48878

cve-icon Vulnrichment

Updated: 2026-06-16T14:36:14.989Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:17.140

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-48878

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:15:02Z

Weaknesses
  • CWE-497

    Exposure of Sensitive System Information to an Unauthorized Control Sphere