Description
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Tips and Tricks HQ WP eMember allows Retrieve Embedded Sensitive Data.

This issue affects WP eMember: from n/a through v10.2.2.
Published: 2026-06-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CVE describes a vulnerability in the Tips and Tricks HQ WP eMember plugin that allows an unauthorized control sphere to retrieve embedded sensitive data. This can expose confidential system information to users who are not granted access by the plugin. The weakness is identified as CWE‑497, indicating improper protection of sensitive system information from unauthorized access.

Affected Systems

Users running any version of the WP eMember plugin from the earliest available release up to v10.2.2 on WordPress sites are affected. The vulnerability exists in all of those releases, so any site with the plugin installed and not updated beyond v10.2.2 is at risk.

Risk and Exploitability

The CVSS score of 5.3 rates this vulnerability as moderate. Because no EPSS score is available and the CVE is not listed in CISA KEV, the likelihood of active exploitation is currently unknown. Based on the description, the plugin’s interface or administrative functions appear to allow data retrieval, so the likelihood of the attack vector is inferred to be the plugin’s exposed interface. An attacker could exploit this if they have some level of access to the site, such as through an existing user account or by compromising the WordPress installation.

Generated by OpenCVE AI on June 4, 2026 at 12:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP eMember plugin to a version newer than v10.2.2 or apply the official vendor patch if available.
  • Review the site for any sensitive data that may have been exposed during the vulnerability window, and rotate or revoke credentials such as database passwords or API keys.
  • Limit administrative access to the WordPress backend to trusted users and apply the principle of least privilege.

Generated by OpenCVE AI on June 4, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Tips and Tricks HQ WP eMember allows Retrieve Embedded Sensitive Data. This issue affects WP eMember: from n/a through v10.2.2.
Title WordPress WP eMember plugin <= v10.2.2 - Sensitive Data Exposure vulnerability
Weaknesses CWE-497
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-04T10:49:13.375Z

Reserved: 2026-05-27T10:27:01.187Z

Link: CVE-2026-49077

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T11:16:27.457

Modified: 2026-06-04T11:16:27.457

Link: CVE-2026-49077

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T13:00:13Z

Weaknesses