Description
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Tips and Tricks HQ WP eMember allows Retrieve Embedded Sensitive Data.

This issue affects WP eMember: from n/a through v10.2.2.
Published: 2026-06-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CVE describes a vulnerability in the Tips and Tricks HQ WP eMember plugin that allows an unauthorized control sphere to retrieve embedded sensitive data. This can expose confidential system information to users who are not granted access by the plugin. The weakness is identified as CWE‑497, indicating improper protection of sensitive system information from unauthorized access.

Affected Systems

Users running any version of the WP eMember plugin from the earliest available release up to v10.2.2 on WordPress sites are affected. The vulnerability exists in all of those releases, so any site with the plugin installed and not updated beyond v10.2.2 is at risk.

Risk and Exploitability

The CVSS score of 5.3 rates this vulnerability as moderate. Because no EPSS score is available and the CVE is not listed in CISA KEV, the likelihood of active exploitation is currently unknown. Based on the description, the plugin’s interface or administrative functions appear to allow data retrieval, so the likelihood of the attack vector is inferred to be the plugin’s exposed interface. An attacker could exploit this if they have some level of access to the site, such as through an existing user account or by compromising the WordPress installation.

Generated by OpenCVE AI on June 4, 2026 at 12:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP eMember plugin to a version newer than v10.2.2 or apply the official vendor patch if available.
  • Review the site for any sensitive data that may have been exposed during the vulnerability window, and rotate or revoke credentials such as database passwords or API keys.
  • Limit administrative access to the WordPress backend to trusted users and apply the principle of least privilege.

Generated by OpenCVE AI on June 4, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
First Time appeared Tipsandtricks-hq
Tipsandtricks-hq wp Emember
Wordpress
Wordpress wordpress
Vendors & Products Tipsandtricks-hq
Tipsandtricks-hq wp Emember
Wordpress
Wordpress wordpress

Thu, 04 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Tips and Tricks HQ WP eMember allows Retrieve Embedded Sensitive Data. This issue affects WP eMember: from n/a through v10.2.2.
Title WordPress WP eMember plugin <= v10.2.2 - Sensitive Data Exposure vulnerability
Weaknesses CWE-497
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Tipsandtricks-hq Wp Emember
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-04T15:06:55.581Z

Reserved: 2026-05-27T10:27:01.187Z

Link: CVE-2026-49077

cve-icon Vulnrichment

Updated: 2026-06-04T13:14:27.019Z

cve-icon NVD

Status : Deferred

Published: 2026-06-04T11:16:27.457

Modified: 2026-06-04T13:53:09.797

Link: CVE-2026-49077

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T07:45:35Z

Weaknesses
  • CWE-497

    Exposure of Sensitive System Information to an Unauthorized Control Sphere