Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Network-accessible via browser, low complexity; PR:L reflects mandatory subscriber authentication; no integrity or availability impact from credential read.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Mux Video Uploader plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 via the muxvideo_enqueue_settings_script. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract sensitive data including Mux API credentials.
AnalysisAI
Sensitive Information Exposure in the Mux Video Uploader WordPress plugin (all versions through 1.1.4) allows any authenticated WordPress user at subscriber level or higher to retrieve Mux API credentials via the muxvideo_enqueue_settings_script function. Mux API keys exposed this way could enable unauthorized access to the site's Mux account, including video management and potential billing abuse. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires a valid WordPress user account at subscriber level or higher - exploitation is limited to authenticated users and cannot be performed anonymously. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) accurately captures the direct technical impact: a low-privilege network-accessible read. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers as a subscriber on a WordPress site running Mux Video Uploader 1.1.4 or earlier, then navigates to a page where the plugin enqueues its settings script. Using browser developer tools or viewing page source, the attacker extracts the Mux API token ID and secret key from the JavaScript settings object, then uses those credentials directly against the Mux API to enumerate, download, or delete videos associated with the account. |
| Remediation | A patch has been committed to the WordPress plugin repository trunk per the referenced changeset (https://plugins.trac.wordpress.org/changeset?reponame=&old=3543763%402coders-integration-mux-video&new=3543763%402coders-integration-mux-video); however, the exact released version number containing this fix is not independently confirmed from the provided data - verify the current version in the WordPress plugin directory before updating. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43128
GHSA-rqch-mf8g-6cqr