Impact
The vulnerability in the PushEngage WordPress plugin allows sensitive subscriber information to be exposed through the plugin's handling of data. The flaw is categorized as CWE-201, indicating an inability to adequately protect user data. An attacker who can reach the plugin’s exposure points would obtain confidential information that could be used for phishing or identity theft, undermining the confidentiality of users' personal details.
Affected Systems
The issue affects all installations of the PushEngage – Web Push Notifications, eCommerce Automation & Chat Widget plugin with versions 4.2.3 or earlier. Sites running WordPress that have deployed these plugin versions are at risk, while those on newer releases are not affected.
Risk and Exploitability
The CVSS base score of 7.4 places this vulnerability in the high severity tier, and it is not listed in the CISA KEV catalog, suggesting limited known exploitation at this time. The EPSS score is not available, so precise exploit probability cannot be quantified, but the disclosed nature of the data leak indicates that an exploit could be feasible with minimal effort. Likely attack vectors involve direct requests to exposed endpoints or API calls that return subscriber data without appropriate access checks.
OpenCVE Enrichment