What the vulnerability does
01Description
The PDF Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.9.3 via the enqueue_block_assets. This makes it possible for authenticated attackers, with contributor-level access and above, to extract configuration data. License key exposure occurs when the premium add-on is also installed and has saved a key; on Lite-only installations, the exposed data is limited to non-sensitive viewer configuration values such as width, height, toolbar settings, usage tracking, and plan.
Explanation of Vulnerability in Simple Terms
02Summary
PDF Embedder versions up to 4.9.3 expose sensitive information to authenticated users. A logged-in attacker with low privileges can read data they should not have access to through the plugin's file handling. The exposure is limited to confidentiality; the plugin's core functionality remains intact. Update to a version newer than 4.9.3.
What an attacker can do
03Attacker Capabilities
Read sensitive information accessible through the plugin that should be restricted from their user role.
Potential impact on your site
04Site Impact
Authenticated users may access private or restricted PDF content or metadata they shouldn't see.
Conditions required to exploit
05Prerequisites
Attacker must be logged in to the site with at least a low-privilege user account.
Key dates
06Disclosure timeline
May 28, 2026
CVE published
May 28, 2026
Record updated