CVE-2026-52698
Deferred Deferred - Pending Action
Subscriber Data Exposure in PushEngage Web Push Notifications

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Subscriber Sensitive Data Exposure in PushEngage – Web Push Notifications, eCommerce Automation &amp; Chat Widget <= 4.2.3 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-52698
EUVD
EUVD-2026-37626
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pushengage pushengage to 4.2.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in PushEngage versions 4.2.3 and below involves sensitive data exposure, allowing unauthorized access to confidential subscriber information.

Such exposure of sensitive data can lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which mandate strict controls over personal and sensitive information to protect user privacy and security.

Organizations using affected versions of the plugin risk violating these regulations if the vulnerability is exploited, potentially resulting in legal and financial consequences.

Immediate mitigation by updating the plugin to version 4.2.4 or later is necessary to reduce the risk of data breaches and maintain compliance.

Executive Summary

CVE-2026-52698 is a high-priority vulnerability in the WordPress PushEngage plugin versions 4.2.3 and below. It involves the exposure of sensitive subscriber data, allowing malicious actors to access confidential information that should normally be restricted to regular users.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive subscriber data, which may compromise user privacy and security. Because of its high severity score (7.4), it poses a significant risk and is likely to be targeted in mass-exploit campaigns affecting many websites using the vulnerable plugin.

If exploited, attackers could gain access to confidential information, potentially leading to further attacks, loss of user trust, and damage to your website's reputation.

Immediate mitigation actions include updating the PushEngage plugin to version 4.2.4 or later. If updating is not possible, users should seek help from their hosting provider or web developer.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the WordPress PushEngage plugin to version 4.2.4 or later.

If updating the plugin is not possible, users should seek assistance from their hosting provider or web developer.

No virtual patch is available for this specific issue, so updating is the primary mitigation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52698. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart