Skip to main content

Visual Link Preview EUVDEUVD-2026-39363

| CVE-2026-54821 HIGH
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-06-25 Patchstack GHSA-pvgh-wqw8-6fxp
7.4
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.4 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
vuln.today AI
5.0 MEDIUM

Network-reachable endpoint needs a Subscriber account (PR:L) and no interaction (UI:N); a pure CWE-201 data leak crosses the authz boundary (S:C) with low confidentiality impact and no genuine integrity or availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 14:16 vuln.today

DescriptionCVE.org

Subscriber Sensitive Data Exposure in Visual Link Preview <= 2.3.1 versions.

AnalysisAI

Sensitive data exposure in the Visual Link Preview WordPress plugin (versions 2.3.1 and earlier) allows a low-privileged Subscriber-level authenticated user to access information they should not be authorized to view. The CVSS 3.1 vector (PR:L) indicates only minimal authenticated access is needed, and the changed scope reflects data leaking beyond the plugin's intended security boundary. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Subscriber-level account
Delivery
Authenticate to WordPress site
Exploit
Send request to vulnerable plugin endpoint
Execution
Endpoint omits capability check
Persist
Receive unauthorized sensitive data
Impact
Harvest disclosed information

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated account at the lowest WordPress privilege tier - Subscriber (CVSS PR:L) - interacting over the network (AV:N) with no user interaction (UI:N) and low attack complexity (AC:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed-but-modest. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a low-privilege Subscriber account on a WordPress site running Visual Link Preview <= 2.3.1, then sends a crafted authenticated request to the plugin's endpoint that lacks a proper capability check. The server returns sensitive information the Subscriber should not be able to see, which the attacker harvests. …
Remediation No vendor-released patch version is identified in the available data; the advisory only confirms that versions up to and including 2.3.1 are affected, so administrators should check the WordPress plugin repository and the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/visual-link-preview/vulnerability/wordpress-visual-link-preview-plugin-2-3-1-sensitive-data-exposure-vulnerability) for any release above 2.3.1 and upgrade as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress instances running Visual Link Preview versions 2.3.1 or earlier and notify stakeholders of exposure scope. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39363 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy