CVE-2026-7526 MEDIUM

CVE-2026-7526: PDF Embedder <= 4.9.3 - Authenticated (Contributor+) Information Exposure via Block Editor Page

Vendor Smub
Product PDF Embedder
Weakness CWE-200 · Info exposure
Published May 28, 2026
Last update May 28, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The PDF Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.9.3 via the enqueue_block_assets. This makes it possible for authenticated attackers, with contributor-level access and above, to extract configuration data. License key exposure occurs when the premium add-on is also installed and has saved a key; on Lite-only installations, the exposed data is limited to non-sensitive viewer configuration values such as width, height, toolbar settings, usage tracking, and plan.

Explanation of Vulnerability in Simple Terms

02Summary

PDF Embedder versions up to 4.9.3 expose sensitive information to authenticated users. A logged-in attacker with low privileges can read data they should not have access to through the plugin's file handling. The exposure is limited to confidentiality; the plugin's core functionality remains intact. Update to a version newer than 4.9.3.

What an attacker can do

03Attacker Capabilities

Read sensitive information accessible through the plugin that should be restricted from their user role.

Potential impact on your site

04Site Impact

Authenticated users may access private or restricted PDF content or metadata they shouldn't see.

Conditions required to exploit

05Prerequisites

Attacker must be logged in to the site with at least a low-privilege user account.

Key dates

06Disclosure timeline

May 28, 2026 CVE published
May 28, 2026 Record updated