Skip to main content

PushEngage WordPress Plugin EUVDEUVD-2026-37626

| CVE-2026-52698 HIGH
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-06-17 Patchstack
7.4
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.4 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
vuln.today AI
4.3 MEDIUM

Authenticated low-privileged WordPress user reads subscriber data over the network; CWE-201 is a confidentiality-only disclosure, so I:N/A:N and no scope change.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 12:01 vuln.today

DescriptionCVE.org

Subscriber Sensitive Data Exposure in PushEngage - Web Push Notifications, eCommerce Automation &amp; Chat Widget <= 4.2.3 versions.

AnalysisAI

Sensitive data exposure in the PushEngage WordPress plugin (versions <= 4.2.3) allows authenticated low-privileged users to access subscriber information that should remain protected. The flaw, reported by Patchstack and tracked as CWE-201 (Insertion of Sensitive Information Into Sent Data), affects WordPress sites running the Web Push Notifications, eCommerce Automation & Chat Widget plugin and carries a CVSS 3.1 score of 7.4 with a scope change. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain low-privileged WordPress account
Delivery
Authenticate to target site
Exploit
Send crafted request to vulnerable PushEngage endpoint
Execution
Receive subscriber data in response
Impact
Harvest subscriber records for follow-on abuse

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) a WordPress site with the PushEngage - Web Push Notifications, eCommerce Automation & Chat Widget plugin installed and active at version 4.2.3 or earlier, (2) network reachability to the site's admin-ajax or REST API surface, and (3) an authenticated session at a low privilege level (PR:L per the CVSS vector - typically Subscriber or Contributor, achievable on sites that allow open user registration). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L) shows network reachability, low complexity, low privileges required, no user interaction, and - notably - a scope change with low impact across all three CIA properties, yielding a 7.4 score driven largely by S:C rather than by severe individual impacts. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has registered or obtained any low-privileged WordPress account (e.g., Subscriber or Contributor) on a site running PushEngage <= 4.2.3 authenticates and issues a crafted request to a PushEngage endpoint that returns subscriber data. The response leaks subscriber records belonging to the site, allowing the attacker to harvest a list of push-notification subscribers for phishing, spam, or follow-on targeting. …
Remediation Patch available per vendor advisory - upgrade the PushEngage plugin to a version newer than 4.2.3 as published on the WordPress.org plugin repository, consulting the Patchstack record at https://patchstack.com/database/wordpress/plugin/pushengage/vulnerability/wordpress-pushengage-web-push-notifications-ecommerce-automation-chat-widget-plugin-4-2-3-sensitive-data-exposure-vulnerability for the exact fixed release. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: disable or deactivate the PushEngage plugin on all affected WordPress installations and audit recent access logs for unauthorized subscriber data retrieval by low-privileged accounts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37626 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy