Skip to main content

Hash Elements EUVDEUVD-2026-36570

| CVE-2026-24618 MEDIUM
Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)
2026-06-12 Patchstack GHSA-5gvj-r2g2-wv2x
4.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Network-accessible with low-privilege auth required; limited confidentiality impact only, no integrity or availability effect, no scope change.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 12, 2026 - 21:36 vuln.today

DescriptionCVE.org

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in HashThemes Hash Elements allows Retrieve Embedded Sensitive Data.

This issue affects Hash Elements: from n/a through 1.5.4.

AnalysisAI

Sensitive system information exposure in the Hash Elements WordPress plugin (all versions through 1.5.4) enables authenticated low-privilege users to retrieve embedded sensitive data from the plugin's output or internal responses. Classified under CWE-497, the plugin surfaces system-level information - potentially including API keys, server paths, or configuration values - to parties who should not have access to it. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low authentication barrier (subscriber-level or equivalent WordPress account) broadens the pool of potential abusers on multi-user WordPress installations.

Technical ContextAI

Hash Elements (CPE: cpe:2.3:a:hashthemes:hash_elements:*:*:*:*:*:*:*:*) is a WordPress page-building plugin by HashThemes, likely designed for use with Elementor or similar block editors. CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere) describes a class of vulnerability where internal data - such as server configuration, API credentials, filesystem paths, or software versioning details - is embedded in rendered output, REST API responses, AJAX handlers, or front-end JavaScript and becomes accessible to parties outside the intended trust boundary. In a WordPress context, this typically occurs when a plugin endpoint or shortcode output lacks proper capability checks, causing privileged data to be returned to authenticated users who hold only subscriber or contributor roles. The CVSS vector AV:N/AC:L/PR:L confirms the flaw is reachable over the network with no special configuration and only a low-privilege WordPress account.

RemediationAI

Update the Hash Elements plugin to a version beyond 1.5.4 as soon as a patched release is made available by HashThemes. The exact fixed version is not independently confirmed from the available data - only that 1.5.4 and earlier are vulnerable. Monitor the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/hash-elements/vulnerability/wordpress-hash-elements-plugin-1-5-4-sensitive-data-exposure-vulnerability?_s_id=cve and the WordPress plugin repository for an updated release. As a compensating control pending a patch, consider disabling the plugin on installations where untrusted users hold low-privilege accounts, particularly on sites with open user registration. If disabling is not viable, restrict authenticated access to only trusted user roles and audit the exposed data type to determine whether downstream secrets (API keys, credentials) require rotation. Note that disabling the plugin will remove any page-builder blocks or widgets it provides, which may affect front-end layout.

Share

EUVD-2026-36570 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy