Medium severity4.3NVD Advisory· Published May 28, 2026· Updated May 28, 2026
CVE-2026-7526
CVE-2026-7526
Description
The PDF Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.9.3 via the enqueue_block_assets. This makes it possible for authenticated attackers, with contributor-level access and above, to extract configuration data. License key exposure occurs when the premium add-on is also installed and has saved a key; on Lite-only installations, the exposed data is limited to non-sensitive viewer configuration values such as width, height, toolbar settings, usage tracking, and plan.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<=4.9.3+ 1 more
- (no CPE)range: <=4.9.3
- (no CPE)range: <=4.9.3
Patches
Vulnerability mechanics
References
6- plugins.trac.wordpress.org/browser/pdf-embedder/tags/4.9.3/src/Plugin.phpnvd
- plugins.trac.wordpress.org/browser/pdf-embedder/tags/4.9.3/src/Plugin.phpnvd
- plugins.trac.wordpress.org/browser/pdf-embedder/trunk/src/Plugin.phpnvd
- plugins.trac.wordpress.org/browser/pdf-embedder/trunk/src/Plugin.phpnvd
- plugins.trac.wordpress.org/changeset/3531901/pdf-embedder/trunk/src/Plugin.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/0e0f2516-0fa7-415e-868e-6bd259bc6546nvd
News mentions
2- Wordfence Intelligence Weekly WordPress Vulnerability Report (May 25, 2026 to May 31, 2026)Wordfence Blog · Jun 4, 2026
- WordPress Plugin Batch: 25 CVEs Across 20+ Plugins Disclosed in Late May 2026Vypr Intelligence · May 31, 2026