Impact
The Visual Link Preview plugin, a WordPress add‑on, contains a flaw that causes subscriber information to be exposed in the plugin’s responses. The vulnerability permits an attacker who manages to trigger the plugin to retrieve sensitive subscriber data, thereby compromising the confidentiality of users who have subscribed to a site. The weakness corresponds to CWE‑497, a data protection issue.
Affected Systems
Bootstrapped Ventures Visual Link Preview plugin versions up to and including 2.4.1 are affected. WordPress sites running any of these versions may inadvertently expose subscriber data through the plugin. Site administrators should verify the installed plugin version and ensure it is not older than 2.4.1.
Risk and Exploitability
The CVSS base score of 6.5 indicates a moderate risk, and the EPSS score of less than 1 % indicates that exploitation is considered unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers could potentially exploit this by sending crafted requests to the plugin’s API endpoint, either while authenticated on the site or, if the plugin is publicly exposed, via unauthenticated requests. Because the flaw leads to data leakage rather than code execution, the primary concern is confidential data disclosure.
OpenCVE Enrichment