Skip to main content

Visual Link Preview CVE-2026-48878

| EUVD-2026-36854 MEDIUM
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)
2026-06-15 Patchstack GHSA-r55f-4694-6xmh
Information Disclosure Visual Link Preview Bootstrap
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Subscriber-level auth (PR:L) required over the network (AV:N); purely a confidentiality breach with no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:55 vuln.today

DescriptionCVE.org

Subscriber Sensitive Data Exposure in Visual Link Preview <= 2.4.1 versions.

AnalysisAI

Sensitive data exposure in the Visual Link Preview WordPress plugin (versions up to and including 2.4.1) allows authenticated users with subscriber-level access to access restricted data they should not be authorized to view. The vulnerability stems from insufficient access controls over sensitive system information (CWE-497), permitting any logged-in subscriber to trigger a disclosure endpoint or functionality that returns protected data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain subscriber account
Delivery
Authenticate to WordPress site
Exploit
Send crafted HTTP request to vulnerable plugin endpoint
Execution
Bypass missing capability/permission check
Impact
Receive sensitive data in response
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress user account with at minimum Subscriber role privileges (PR:L per CVSS). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) reflects a medium-severity issue with a high confidentiality impact but constrained by requiring authenticated access at subscriber level (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on a target WordPress site that has the Visual Link Preview plugin installed at version 2.4.1 or earlier and has open user registration enabled. Using their subscriber session cookie, the attacker sends a crafted authenticated HTTP request - likely a WordPress AJAX action or REST API call - to the plugin's endpoint, bypassing the missing or insufficient capability check, and receives sensitive data in the response. …
Remediation Update the Visual Link Preview plugin to a version beyond 2.4.1 as soon as a patched release is published by Bootstrapped Ventures; consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/visual-link-preview/vulnerability/wordpress-visual-link-preview-plugin-2-4-1-sensitive-data-exposure-vulnerability for the confirmed fixed version, which was not independently verified in the available intelligence at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48878 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy