Skip to main content

Mux Video Uploader CVE-2026-7544

| EUVDEUVD-2026-43128 MEDIUM
Information Exposure (CWE-200)
2026-07-11 Wordfence GHSA-rqch-mf8g-6cqr
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Network-accessible via browser, low complexity; PR:L reflects mandatory subscriber authentication; no integrity or availability impact from credential read.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 03:58 vuln.today
CVE Published
Jul 11, 2026 - 02:31 cve.org
MEDIUM 4.3

DescriptionCVE.org

The Mux Video Uploader plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 via the muxvideo_enqueue_settings_script. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract sensitive data including Mux API credentials.

AnalysisAI

Sensitive Information Exposure in the Mux Video Uploader WordPress plugin (all versions through 1.1.4) allows any authenticated WordPress user at subscriber level or higher to retrieve Mux API credentials via the muxvideo_enqueue_settings_script function. Mux API keys exposed this way could enable unauthorized access to the site's Mux account, including video management and potential billing abuse. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain WordPress subscriber account
Delivery
Log into WordPress site with plugin active
Exploit
Load page that enqueues muxvideo_enqueue_settings_script
Execution
Extract Mux API credentials from JavaScript page source
Persist
Authenticate to Mux API with stolen credentials
Impact
Abuse Mux account (video exfiltration, deletion, or billing fraud)

Vulnerability AssessmentAI

Exploitation Requires a valid WordPress user account at subscriber level or higher - exploitation is limited to authenticated users and cannot be performed anonymously. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) accurately captures the direct technical impact: a low-privilege network-accessible read. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers as a subscriber on a WordPress site running Mux Video Uploader 1.1.4 or earlier, then navigates to a page where the plugin enqueues its settings script. Using browser developer tools or viewing page source, the attacker extracts the Mux API token ID and secret key from the JavaScript settings object, then uses those credentials directly against the Mux API to enumerate, download, or delete videos associated with the account.
Remediation A patch has been committed to the WordPress plugin repository trunk per the referenced changeset (https://plugins.trac.wordpress.org/changeset?reponame=&old=3543763%402coders-integration-mux-video&new=3543763%402coders-integration-mux-video); however, the exact released version number containing this fix is not independently confirmed from the provided data - verify the current version in the WordPress plugin directory before updating. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-7544 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy