CVE-2026-48872

Vulnerability

An unauthenticated sensitive data exposure vulnerability exists in the WordPress EmbedPress plugin versions up to and including 4.5.2 [1]. The flaw resides in how the plugin handles specific AJAX requests, allowing remote attackers without any authentication to retrieve sensitive information from the WordPress database [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to a vulnerable WordPress site running EmbedPress version 4.5.2 or earlier. No authentication or user interaction is required, and the attack can be performed remotely over the network [1]. The vulnerability is expected to be used in mass-exploit campaigns, targeting thousands of websites at once [1].

Impact

Successful exploitation leads to the exposure of sensitive data that is normally restricted to authorized users. This could include configuration details, user information, or other internal data that can be leveraged to further compromise the site or its users [1]. The CVSS v3 base score is 7.5 (High), with the primary impact being confidentiality [1].

Mitigation

The vulnerability is fixed in EmbedPress version 4.5.3, released to address the issue [1]. Users are strongly advised to update to version 4.5.3 or later immediately. For Patchstack users, a mitigation rule is available to block attacks until the update is applied [1]. No other workarounds are documented in the available references.