EUVD-2026-32743
GHSA-f2w5-jwq5-fprh
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionNVD
The PDF Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.9.3 via the enqueue_block_assets. This makes it possible for authenticated attackers, with contributor-level access and above, to extract configuration data. License key exposure occurs when the premium add-on is also installed and has saved a key; on Lite-only installations, the exposed data is limited to non-sensitive viewer configuration values such as width, height, toolbar settings, usage tracking, and plan.
AnalysisAI
Sensitive information exposure in the PDF Embedder WordPress plugin (all versions through 4.9.3) allows authenticated attackers with contributor-level access or higher to extract configuration data via the enqueue_block_assets hook. The severity of impact is installation-dependent: on sites running the premium add-on with a saved license key, attackers can exfiltrate that license key; on Lite-only installations, exposed data is limited to non-sensitive viewer settings such as dimensions, toolbar preferences, and usage tracking. …
Sign in for full analysis, threat intelligence, and remediation guidance.
More from same product – last 7 days
Unauthenticated refund abuse in the Eupago Gateway for WooCommerce WordPress plugin before 4.7.2 lets remote attackers t
Authentication bypass in the Login with OTP plugin for WordPress (all versions up to and including 1.6) lets unauthentic
Blind SQL injection in the RealMag777 'Active Products Tables for WooCommerce' WordPress plugin (versions up to and incl
Blind SQL injection in the RealMag777 "Active Products Tables for WooCommerce" WordPress plugin (all versions up to and
Remote code execution in the WPCode WordPress plugin (versions through 2.3.5) lets authenticated author-level users run
Share
External POC / Exploit Code
Leaving vuln.today