PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-7526 smub CVE debrief

The PDF Embedder plugin for WordPress exposes sensitive configuration data through the `enqueue_block_assets` hook in versions up to and including 4.9.3. Authenticated users with contributor-level access or higher can extract this data. When the premium add-on is installed and a license key has been saved, the exposed data includes the license key. On Lite-only installations, the exposure is limited to non-sensitive viewer configuration values such as width, height, toolbar settings, usage tracking, and plan information. The vulnerability was disclosed on 2026-05-28 and assigned a CVSS 3.1 score of 4.3 (Medium). The issue is tracked as CWE-200 (Information Exposure). A changeset (3531901) in the WordPress plugin repository indicates a patch has been committed to the trunk branch.

Vendor
smub
Product
PDF Embedder
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

WordPress site administrators using PDF Embedder plugin versions 4.9.3 or earlier; security teams monitoring WordPress plugin vulnerabilities; compliance officers concerned with license key exposure in content management systems

Technical summary

The PDF Embedder WordPress plugin registers block assets via `enqueue_block_assets` without adequate access controls or data sanitization, causing configuration objects to be exposed in rendered page output. Authenticated users with contributor privileges or higher can view this output and extract configuration data. The severity varies by installation type: premium add-on installations risk license key exposure, while Lite installations expose only non-sensitive viewer settings. The vulnerability is classified as CWE-200 (Information Exposure) with a CVSS 3.1 score of 4.3 (Medium). The fix was committed to the plugin repository trunk branch as changeset 3531901.

Defensive priority

medium

Recommended defensive actions

  • Update PDF Embedder plugin to version 4.9.4 or later, which contains the fix in changeset 3531901
  • If immediate patching is not possible, restrict contributor-level access to trusted users only
  • Review access logs for unusual authenticated requests to block editor or frontend assets that may indicate attempted exploitation
  • Audit installed plugins to confirm whether the PDF Embedder premium add-on is present; if so, rotate any exposed license keys after patching
  • Consider implementing additional output filtering on `enqueue_block_assets` hooks site-wide as a defense-in-depth measure

Evidence notes

Vulnerability identified in PDF Embedder plugin for WordPress. Affected versions: up to and including 4.9.3. Attack vector: authenticated (contributor+). Impact: sensitive information exposure including license key when premium add-on present; non-sensitive configuration values on Lite-only installations. CVSS 3.1 vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. CWE-200 classification. Patch available via changeset 3531901.

Official resources

2026-05-28