CVE-2026-48878

Vulnerability

The Visual Link Preview plugin for WordPress versions 2.4.1 and earlier fails to properly restrict access to subscriber-sensitive data [1]. This allows any unauthenticated user to retrieve information that should only be available to authorized roles. The vulnerability resides in the plugin's data handling routines, and no special configuration is required to exploit it; the default installation is affected.

Exploitation

An attacker with network access to the WordPress site can exploit this vulnerability by sending crafted HTTP requests to the plugin's exposed endpoints. No authentication or user interaction is required. The exact request parameters are documented in the Patchstack advisory [1]. The attack is straightforward and does not require a race condition or elevated privileges.

Impact

Successful exploitation enables the attacker to view subscriber-sensitive data, which may include personally identifiable information such as email addresses, usernames, and other account metadata. This is a confidentiality breach that can lead to further attacks, such as phishing or account takeover, depending on the exposed fields [1].

Mitigation

The vulnerability is fully patched in version 2.4.2 of the plugin. Users are strongly advised to update immediately [1]. For those who cannot update, Patchstack provides a virtual mitigation rule that blocks exploitation attempts until the update is applied. No other workarounds have been disclosed.