CVE-2026-48872: WordPress EmbedPress plugin <= 4.5.2 - Sensitive Data Exposure vulnerability
Unauthenticated Sensitive Data Exposure in EmbedPress <= 4.5.2 versions.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated sensitive data exposure vulnerability affects the EmbedPress WordPress plugin at version 4.5.2 and earlier. The flaw is reachable over the network without any credentials, meaning any internet-facing WordPress site running the affected plugin is exposed. Successful exploitation allows an attacker to read sensitive data from the affected installation. No fix version has been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment an upstream fix is available.
HarborGuard Coverage
Detection for CVE-2026-48872 is available across every HarborGuard environment; the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against customer images, including custom-built WordPress images that bundle EmbedPress. Any image containing EmbedPress at or below version 4.5.2 is flagged automatically.
AvailableHarborGuard scores this CVE at CVSS 7.5 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and applies per-environment compliance policy weighting to determine urgency and route findings to the appropriate team inbox within each customer organization.
AvailableBecause no upstream fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment WPDeveloper ships a remediated release. In the meantime, HarborGuard surfaces the unpatched finding continuously so teams can apply compensating controls while awaiting the upstream patch.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable component is exposed over the network, so an attacker must be able to reach the WordPress site via HTTP/HTTPS to trigger the issue.
- AuthenticationNot required
No account or session token of any kind is needed; the attacker sends unauthenticated requests to exploit the flaw.
- Victim interactionNot required
No user action is required; the attacker exploits the endpoint directly without any social-engineering step.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites.
Blast Radius
- A successful attacker reads sensitive data exposed by the plugin, which may include configuration details, API keys, or other confidential information stored or surfaced by EmbedPress.
- Confidentiality is fully compromised (CVSS C:H); data that the plugin handles or exposes can be harvested without restriction.
- Integrity and availability are unaffected by this vulnerability; the attacker gains read access only and cannot modify or delete data through this path.
How HarborGuard Handles This
Available on HarborGuard: detection for this CVE is active against all images containing EmbedPress at or below version 4.5.2, with findings visible in each environment's vulnerability dashboard immediately after the ingest cycle completes. Because no upstream patch exists yet, HarborGuard monitors the Patchstack advisory and the WPDeveloper release feed on every ingest cycle. The moment a fix version is published, a patched-image rebuild becomes available; for customers with auto-remediation enabled, HarborGuard will trigger a rebuild, run a regression test suite against the updated image, and open a pull request against affected workloads. While no patch is available, recommended compensating controls include restricting public network access to affected WordPress installations via network policy, applying a web application firewall rule to block requests targeting the vulnerable endpoint, and auditing what sensitive data EmbedPress has access to in order to reduce exposure scope.
- WPDeveloper / EmbedPress≤ 4.5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N