CVE-2026-7526
Sensitive Information Exposure in PDF Embedder WordPress Plugin
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_embedder | pdf_embedder | to 4.9.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated attackers with contributor-level access and above to extract configuration data from the PDF Embedder plugin for WordPress. When the premium add-on is installed and has a saved license key, sensitive information such as the license key may be exposed. On Lite-only installations, the exposed data is limited to non-sensitive viewer configuration values.
Exposure of sensitive information like license keys could potentially impact compliance with data protection standards such as GDPR or HIPAA, which require protection of sensitive data and prevention of unauthorized access. However, the vulnerability does not appear to expose personal user data directly, but rather configuration and license information.
Therefore, organizations using this plugin should consider the risk of sensitive configuration data exposure in their compliance assessments and apply appropriate mitigations to maintain compliance with relevant standards.
Can you explain this vulnerability to me?
The PDF Embedder plugin for WordPress has a vulnerability in all versions up to and including 4.9.3. This vulnerability allows authenticated users with contributor-level access or higher to extract configuration data through the enqueue_block_assets function.
If the premium add-on is installed and has a saved license key, this key can be exposed. For installations using only the Lite version, the exposed data is limited to non-sensitive viewer configuration values such as width, height, toolbar settings, usage tracking, and plan.
How can this vulnerability impact me? :
This vulnerability can lead to sensitive information exposure, particularly the license key if the premium add-on is installed. An attacker with contributor-level access could extract this key, potentially leading to unauthorized use or distribution of the premium features.
Even without the premium add-on, configuration data such as viewer settings and usage tracking information can be exposed, which might reveal some operational details about the website.