Visual Link Preview
Monthly
Sensitive data exposure in the Visual Link Preview WordPress plugin (versions up to and including 2.4.1) allows authenticated users with subscriber-level access to access restricted data they should not be authorized to view. The vulnerability stems from insufficient access controls over sensitive system information (CWE-497), permitting any logged-in subscriber to trigger a disclosure endpoint or functionality that returns protected data. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis, though the low privilege bar makes this accessible to any registered WordPress user.
Server-Side Request Forgery (SSRF) in Brecht Visual Link Preview WordPress plugin versions through 2.3.0 allows authenticated attackers with low privileges to make arbitrary network requests from the affected server, potentially accessing internal resources, metadata services, or performing actions on behalf of the server. No public exploit code identified at time of analysis, though the vulnerability carries low real-world exploitation probability (EPSS 0.02%) despite moderate CVSS scoring.
Sensitive data exposure in the Visual Link Preview WordPress plugin (versions up to and including 2.4.1) allows authenticated users with subscriber-level access to access restricted data they should not be authorized to view. The vulnerability stems from insufficient access controls over sensitive system information (CWE-497), permitting any logged-in subscriber to trigger a disclosure endpoint or functionality that returns protected data. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis, though the low privilege bar makes this accessible to any registered WordPress user.
Server-Side Request Forgery (SSRF) in Brecht Visual Link Preview WordPress plugin versions through 2.3.0 allows authenticated attackers with low privileges to make arbitrary network requests from the affected server, potentially accessing internal resources, metadata services, or performing actions on behalf of the server. No public exploit code identified at time of analysis, though the vulnerability carries low real-world exploitation probability (EPSS 0.02%) despite moderate CVSS scoring.