CVE-2026-24536
Published: 23 January 2026
Summary
CVE-2026-24536 is a medium-severity Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) vulnerability. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).
Deeper analysis
CVE-2026-24536 is an Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability (CWE-497) in the webpushr-web-push-notifications WordPress plugin. This flaw allows retrieval of embedded sensitive data and affects all versions of the Webpushr plugin up to and including 4.38.0.
Remote unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation results in low-impact disclosure of sensitive system information, with no effects on integrity or availability, as reflected in the CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
The Patchstack advisory documents this sensitive data exposure issue specifically in Webpushr plugin version 4.38.0 for WordPress, available at https://patchstack.com/database/Wordpress/Plugin/webpushr-web-push-notifications/vulnerability/wordpress-webpushr-plugin-4-38-0-sensitive-data-exposure-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4383
Vulnerability details
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in webpushr Webpushr webpushr-web-push-notifications allows Retrieve Embedded Sensitive Data.This issue affects Webpushr: from n/a through <= 4.38.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unauthenticated remote exposure in a public-facing WordPress plugin directly enables exploitation of a public-facing application (T1190) to obtain sensitive system information, which facilitates System Information Discovery (T1082).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access control policies to block unauthenticated retrieval of embedded sensitive data exposed by the plugin.
Enforces information flow rules that prevent sensitive system data from reaching an unauthorized control sphere.
Limits privileges so that plugin code and data are only accessible to the minimum set of authorized subjects.