CVE-2026-7526
Description
The PDF Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.9.3 via the enqueue_block_assets. This makes it possible for authenticated attackers, with contributor-level access and above, to extract configuration data. License key exposure occurs when the premium add-on is also installed and has saved a key; on Lite-only installations, the exposed data is limited to non-sensitive viewer configuration values such as width, height, toolbar settings, usage tracking, and plan.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The PDF Embedder plugin for WordPress up to 4.9.3 exposes configuration data via enqueue_block_assets to authenticated users with contributor-level access.
Vulnerability
The PDF Embedder plugin for WordPress versions up to and including 4.9.3 exposes sensitive configuration data through the enqueue_block_assets function. The vulnerability allows authenticated attackers with contributor-level access or higher to extract configuration values. In installations where the premium add-on is installed with a saved license key, the full license key is exposed; otherwise, non-sensitive viewer settings (width, height, toolbar options, usage tracking, plan) are revealed [1][2][3][4].
Exploitation
An attacker must have an authenticated WordPress account with contributor-level access or above. No special privileges beyond that are required. The attacker can trigger the vulnerability by visiting or interacting with a page that loads the block assets from the plugin. The function enqueue_block_assets outputs the configuration data, which is then accessible via the browser's developer tools or network responses [1][2][3][4].
Impact
Successful exploitation leads to unauthorized disclosure of configuration data. In Lite-only installations, this includes viewer preferences that may aid in further attacks. When the premium add-on is active with a saved license key, the attacker obtains the full license key, which could be used to deactivate the license or access additional protected features [1][2][3][4].
Mitigation
A patched version is available in the WordPress plugin repository via changeset 3531901; the fix was committed on 2026-03-24. Users should update the PDF Embedder plugin to version 4.9.4 or later. For users unable to update immediately, there is no known workaround other than restricting contributor-level access or disabling the plugin until patched [1][2][3][4].
- https://plugins.trac.wordpress.org/changeset/3531901/pdf-embedder/trunk/src/Plugin.php?old=3429550&old_path=pdf-embedder%2Ftrunk%2Fsrc%2FPlugin.php
- https://plugins.trac.wordpress.org/browser/pdf-embedder/trunk/src/Plugin.php#L224
- https://plugins.trac.wordpress.org/browser/pdf-embedder/trunk/src/Plugin.php#L204
- https://plugins.trac.wordpress.org/browser/pdf-embedder/tags/4.9.3/src/Plugin.php#L224
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=4.9.3+ 1 more
- (no CPE)range: <=4.9.3
- (no CPE)range: <=4.9.3
Patches
1r3531901Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- plugins.trac.wordpress.org/browser/pdf-embedder/tags/4.9.3/src/Plugin.phpnvd
- plugins.trac.wordpress.org/browser/pdf-embedder/tags/4.9.3/src/Plugin.phpnvd
- plugins.trac.wordpress.org/browser/pdf-embedder/trunk/src/Plugin.phpnvd
- plugins.trac.wordpress.org/browser/pdf-embedder/trunk/src/Plugin.phpnvd
- plugins.trac.wordpress.org/changeset/3531901/pdf-embedder/trunk/src/Plugin.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/0e0f2516-0fa7-415e-868e-6bd259bc6546nvd
News mentions
0No linked articles in our index yet.