Description
Subscriber Sensitive Data Exposure in PushEngage – Web Push Notifications, eCommerce Automation &amp; Chat Widget <= 4.2.3 versions.
Published: 2026-06-17
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the PushEngage WordPress plugin allows sensitive subscriber information to be exposed through the plugin's handling of data. The flaw is categorized as CWE-201, indicating an inability to adequately protect user data. An attacker who can reach the plugin’s exposure points would obtain confidential information that could be used for phishing or identity theft, undermining the confidentiality of users' personal details.

Affected Systems

The issue affects all installations of the PushEngage – Web Push Notifications, eCommerce Automation & Chat Widget plugin with versions 4.2.3 or earlier. Sites running WordPress that have deployed these plugin versions are at risk, while those on newer releases are not affected.

Risk and Exploitability

The CVSS base score of 7.4 places this vulnerability in the high severity tier, and it is not listed in the CISA KEV catalog, suggesting limited known exploitation at this time. The EPSS score is not available, so precise exploit probability cannot be quantified, but the disclosed nature of the data leak indicates that an exploit could be feasible with minimal effort. Likely attack vectors involve direct requests to exposed endpoints or API calls that return subscriber data without appropriate access checks.

Generated by OpenCVE AI on June 18, 2026 at 14:00 UTC.

Remediation

Vendor Solution

Update the WordPress PushEngage – Web Push Notifications, eCommerce Automation &amp; Chat Widget Plugin to the latest available version (at least 4.2.4).


OpenCVE Recommended Actions

  • Update the PushEngage plugin to version 4.2.4 or newer.
  • If an immediate update is not possible, disable or remove the plugin from active use until a secure version is applied.
  • Inspect server logs for abnormal requests to the PushEngage endpoints, revoke any leaked keys, and ensure that subscriber data is not accessible without proper authentication.

Generated by OpenCVE AI on June 18, 2026 at 14:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Syed Balkhi
Syed Balkhi pushengage – Web Push Notifications, Ecommerce Automation &amp; Chat Widget
Wordpress
Wordpress wordpress
Vendors & Products Syed Balkhi
Syed Balkhi pushengage – Web Push Notifications, Ecommerce Automation &amp; Chat Widget
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Subscriber Sensitive Data Exposure in PushEngage – Web Push Notifications, eCommerce Automation &amp; Chat Widget <= 4.2.3 versions.
Title WordPress PushEngage – Web Push Notifications, eCommerce Automation & Chat Widget plugin <= 4.2.3 - Sensitive Data Exposure vulnerability
Weaknesses CWE-201
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L'}


Subscriptions

Syed Balkhi Pushengage – Web Push Notifications, Ecommerce Automation &amp; Chat Widget
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:39:45.079Z

Reserved: 2026-06-08T10:11:03.696Z

Link: CVE-2026-52698

cve-icon Vulnrichment

Updated: 2026-06-17T14:39:42.338Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:03:52Z

Weaknesses
  • CWE-201

    Insertion of Sensitive Information Into Sent Data