CVE-2026-7526: PDF Embedder WordPress Plugin Sensitive Information Exposure
The PDF Embedder plugin for WordPress contains a flaw that allows authenticated users with basic contributor permissions or higher to access sensitive configuration information. If the premium add-on is installed with a saved license key, that key can be exposed; on free installations, the exposure is limited to non-sensitive viewer settings like dimensions and toolbar options. An attacker would need valid WordPress login credentials at the contributor level or above to exploit this, but no user interaction or network complexity is required once authenticated.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-200
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
The PDF Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.9.3 via the enqueue_block_assets. This makes it possible for authenticated attackers, with contributor-level access and above, to extract configuration data. License key exposure occurs when the premium add-on is also installed and has saved a key; on Lite-only installations, the exposed data is limited to non-sensitive viewer configuration values such as width, height, toolbar settings, usage tracking, and plan.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-7526 is a Sensitive Information Exposure vulnerability (CWE-200) in the PDF Embedder plugin for WordPress affecting versions up to and including 4.9.3. The vulnerability exists in the enqueue_block_assets function, which improperly handles configuration data retrieval. Authenticated attackers with contributor-level permissions can access this data via the WordPress REST API or block editor endpoints. The exposure scope depends on installation type: premium installations with a stored license key face full credential disclosure, while Lite-only installations leak non-sensitive metadata including viewer dimensions, toolbar configuration, usage tracking preferences, and service plan information. The CVSS 3.1 score of 4.3 (MEDIUM) reflects the requirement for authentication and limited information disclosure impact.
Business impact
For WordPress sites using PDF Embedder premium, license key compromise creates immediate risk of unauthorized premium feature access and potential credential reuse across other services if keys follow naming patterns. For all installations, exposure of viewer configuration and plan information aids reconnaissance—attackers can map viewer capabilities and identify premium deployments for targeted attacks. The low barrier to entry (contributor access is commonly delegated to content authors and editors) increases organizational risk if user permissions are not strictly managed. Remediation delay leaves sites vulnerable for the duration of exposure.
Affected systems
PDF Embedder plugin for WordPress in all versions up to 4.9.3. Risk is highest for sites running the premium add-on with a saved license key; Lite-only installations face reduced but non-zero risk. Any WordPress site granting contributor or higher permissions to multiple users or third-party content creators is vulnerable if they update to or remain on an affected version.
Exploitability
Exploitation requires authenticated access at contributor level or above—not a public exploit barrier, but a meaningful one. No active KEV listing indicates this is not yet a weaponized malware vector. Exploitation is straightforward for an attacker with valid credentials; no special tools or complex manipulation required. The vulnerability is easily discovered by code review or by inspecting REST API responses while logged in as a contributor. Risk is elevated in multi-author environments, managed WordPress services, or where contributor accounts are provisioned to external agencies.
Remediation
Update PDF Embedder plugin to a patched version released after the May 28, 2026 publication date (verify against the vendor's official advisory for the specific version number). For sites unable to update immediately, restrict contributor-level permissions to only trusted staff, audit existing contributor and editor accounts, and review access logs for suspicious REST API activity. If premium add-ons are installed, rotate license keys immediately and monitor for unauthorized premium feature activation. After patching, verify no stored license keys remain exposed in browser history or logs.
Patch guidance
Patch availability and version numbers should be verified against the official PDF Embedder plugin repository and vendor advisory. Administrators should check the WordPress plugin directory or the vendor's website for the released patch version. Apply updates during a maintenance window after testing in a staging environment. Confirm the update version is higher than 4.9.3 before deploying to production. Sites with automated updates disabled should manually trigger an update or enable automatic security updates for this plugin.
Detection guidance
Monitor REST API endpoints related to block editor configuration for access by contributor-level accounts, particularly repeated requests from the same user outside normal editing patterns. Log and audit calls to enqueue_block_assets and related hooks that retrieve configuration. Check WordPress audit logs for REST API access by contributors and examine which accounts have accessed block editor endpoints. For premium installations, implement alerting on license key access via logs or database queries. Use security plugins to monitor for suspicious contributor activity and unexpected access to admin data.
Why prioritize this
Although rated MEDIUM severity and not on the KEV list, this vulnerability warrants prompt attention because: (1) it affects widely-used WordPress plugin with many premium customers facing license key exposure, (2) the attack surface is large in multi-author environments where contributor access is common, (3) exploitation requires no social engineering or user interaction once authenticated, and (4) the reconnaissance value aids further attacks on affected sites. Organizations with strict contributor permission policies face lower risk and can defer patching slightly longer than those with open delegation models.
Risk score, explained
CVSS 3.1 score of 4.3 reflects a MEDIUM severity due to: low attack complexity (standard API access), requirement for prior authentication at contributor or higher level (reducing attack surface), and confidentiality impact limited to configuration data and potentially license keys (not complete system compromise). The score does not account for the organizational context of multi-author WordPress sites where contributor accounts are numerous or delegated externally, which elevates practical risk beyond the base score.
Frequently asked questions
Does this affect all PDF Embedder installations or only premium?
All versions up to 4.9.3 are vulnerable. Sites running only the Lite version have reduced exposure—configuration metadata is leaked but license keys cannot be exposed because none are stored. Premium installations with a saved license key face the full risk of credential disclosure.
Do I need a contributor account to exploit this, or can anyone access it?
An attacker must have valid WordPress login credentials with contributor-level permissions or higher (editor, admin). This is not a public-facing vulnerability. The risk is highest on sites where contributor access is granted to multiple staff members, external authors, or third-party agencies.
If my site is updated to the patched version, should I rotate my license key?
Yes. If your site ran premium PDF Embedder with a saved license key while vulnerable, treat the key as potentially compromised. Rotate it immediately after patching. Check your license usage logs for unauthorized activation or use on unfamiliar domains.
Is there active exploitation in the wild?
This vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date. However, the simplicity of exploitation and value of license key exposure mean you should assume capable threat actors will attempt to leverage this once aware of it.
This analysis is based on publicly available vulnerability data current as of the publication date. Patch version numbers and vendor advisory details must be verified against official PDF Embedder plugin sources and the WordPress plugin repository. CVSS scores and severity ratings are derived from the published CVE record and should not be modified without reference to the official scoring documentation. Exploit code and detailed proof-of-concept steps are not provided in this analysis. Organizations should conduct their own risk assessment within their specific environment and incident response procedures before applying patches or changes to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10254MEDIUMUnauthenticated Information Disclosure in SourceCodester Pet Grooming Software
- CVE-2026-10854MEDIUMMISP Galaxy Visibility Control Bypass – Unauthorized Private Metadata Access
- CVE-2026-10864MEDIUMMISP Dashboard Widget Field Filtering Bypass (Medium)
- CVE-2026-2128MEDIUMBreeze WordPress Plugin Cache Information Disclosure (v2.5.2 and earlier)
- CVE-2026-28511MEDIUMeLabFTW Information Disclosure – Title Exposure via Cross-Scope Search
- CVE-2026-36602MEDIUMMercusys AC12G Kernel Memory Disclosure via UPnP
- CVE-2026-36615MEDIUMMercusys AC12G (EU) Unauthenticated Information Disclosure via /agileconfigreset Endpoint
- CVE-2026-36618MEDIUMMercusys AC12G DNS Version Disclosure Vulnerability