How is CVE-2026-52698 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS. Authentication (required): A low-privilege account (subscriber level) is sufficient; no administrator or elevated credentials are needed. Victim interaction (not-required): The attacker does not need to trick any user into taking an action; exploitation is direct once the attacker is authenticated. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special preconditions, race conditions, or environmental factors.

What is the impact of CVE-2026-52698?

Reads subscriber data stored by the PushEngage plugin, which may include push notification subscriber identifiers and associated contact details. Modifies plugin-managed subscriber records, potentially corrupting notification targeting or injecting attacker-controlled data. Causes partial disruption to plugin functionality, degrading push notification delivery or eCommerce automation workflows. The changed scope (S:C) means impact can extend beyond the plugin into adjacent WordPress components or data accessible to the plugin's execution context.

Back to search

HIGHCVE-2026-52698Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-52698: WordPress PushEngage – Web Push Notifications, eCommerce Automation & Chat Widget plugin <= 4.2.3 - Sensitive Data Exposure vulnerability

Q: What is CVE-2026-52698?

A sensitive data exposure vulnerability affects the PushEngage WordPress plugin (Web Push Notifications, eCommerce Automation and Chat Widget) at version 4.2.3 and earlier. The flaw is reachable over the network and requires only a low-privilege subscriber account, meaning any registered WordPress user can trigger it without admin rights. Successful exploitation allows an attacker to read, modify, or partially disrupt subscriber data with scope that extends beyond the plugin itself into the broader WordPress environment. HarborGuard is tracking the advisory for patch availability, as no fix version has been published yet.

Q: Is CVE-2026-52698 patched?

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version appears. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated automatically at that point.

Subscriber Sensitive Data Exposure in PushEngage – Web Push Notifications, eCommerce Automation & Chat Widget <= 4.2.3 versions.

CVSS v3.1: 7.4
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A sensitive data exposure vulnerability affects the PushEngage WordPress plugin (Web Push Notifications, eCommerce Automation and Chat Widget) at version 4.2.3 and earlier. The flaw is reachable over the network and requires only a low-privilege subscriber account, meaning any registered WordPress user can trigger it without admin rights. Successful exploitation allows an attacker to read, modify, or partially disrupt subscriber data with scope that extends beyond the plugin itself into the broader WordPress environment. HarborGuard is tracking the advisory for patch availability, as no fix version has been published yet.

HarborGuard Coverage

Detection

Detection of CVE-2026-52698 is available across every HarborGuard environment. Images are matched against the CVE within minutes of ingestion from upstream feeds, including custom-built WordPress images that bundle the PushEngage plugin.

Available

Triage

Triage is available with the CVSS v3.1 score of 7.4 (HIGH), weighted against each customer organization's compliance policy to surface the alert to the appropriate team inbox. Per-environment policy rules can escalate or suppress the finding based on internal risk thresholds.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version appears. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS.
AuthenticationRequired
A low-privilege account (subscriber level) is sufficient; no administrator or elevated credentials are needed.
Victim interactionNot required
The attacker does not need to trick any user into taking an action; exploitation is direct once the attacker is authenticated.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special preconditions, race conditions, or environmental factors.

Blast Radius

Reads subscriber data stored by the PushEngage plugin, which may include push notification subscriber identifiers and associated contact details.
Modifies plugin-managed subscriber records, potentially corrupting notification targeting or injecting attacker-controlled data.
Causes partial disruption to plugin functionality, degrading push notification delivery or eCommerce automation workflows.
The changed scope (S:C) means impact can extend beyond the plugin into adjacent WordPress components or data accessible to the plugin's execution context.

How HarborGuard Handles This

Available on HarborGuard: the CVE is ingested from upstream feeds and matched against customer images within minutes of publication, covering custom WordPress images that include the PushEngage plugin. Because no upstream fix exists yet, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment a fix version is released. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and a PR opened against affected workloads without manual intervention. In the interim, compensating controls worth considering include restricting subscriber-role registration on affected WordPress installations, applying network-policy rules to limit which services can reach the WordPress API, and auditing subscriber-facing endpoints for unexpected data access. HarborGuard will continue tracking the Patchstack advisory and update the finding status as soon as upstream ships a patch.

See how HarborGuard automates this

Affected packages

Syed Balkhi / PushEngage – Web Push Notifications, eCommerce Automation & Chat Widget
≤ 4.2.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified