[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f9mVgHRoMBQ08vGik2rQeEWtsjERTxVq1_RGIyWkibzs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-52698","pushengage-web-push-notifications-woocommerce-automation-chat-widget-authenticated-subscriber-information-exposure","PushEngage – Web Push Notifications, WooCommerce Automation & Chat Widget \u003C= 4.2.3 - Authenticated (Subscriber+) Information Exposure","The PushEngage – Web Push Notifications, WooCommerce Automation & Chat Widget plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.","pushengage",null,"\u003C=4.2.3","4.2.4","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-06-10 00:00:00","2026-06-18 13:35:16",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F897ee0c1-9f28-47b5-9b10-f6fd8c4c4f18?source=api-prod",9,[22,23,24,25,26,27,28,29],"CHANGELOG.md","app\u002FCore.php","app\u002FDashboardWidget.php","app\u002FIntegrations\u002FAbilities\u002FAbstractRegistrar.php","app\u002FIntegrations\u002FWooCommerce\u002FNotificationSettings.php","app\u002FIntegrations\u002FWooCommerce\u002FWhatsapp\u002FCartAbandonment\u002FTracker.php","app\u002FWhatsNew.php","main.php","researched",false,3,"true` is set, the Abilities API might bypass the `permission_callback` for MCP-enabled clients (which might include a Subscriber-level user role).\n\n    *   `pushengage\u002Fget-plugin-info`\n    *   `pushengage\u002Fget-analytics`\n    *   `pushengage\u002Fget-segments`\n    *   `pushengage\u002Fget-audience-groups`\n    *   `pushengage\u002Fget-auto-push-settings`\n\n    *   I'll try `pushengage\u002Fget-plugin-info` first.\n\n    *   *Pre-conditions*:\n        1.  WordPress Abilities API (feature plugin) must be active (or we simulate the environment where PushEngage registers these).\n        2.  PushEngage must be configured with an API key (to have a `user` envelope to leak).\n        3.  Subscriber user must be created.\n\n    *   *Steps*:\n        1.  Login as Subscriber.\n        2.  Fetch `\u002Fwp-json\u002Fwp-abilities\u002Fv1\u002Fcall\u002Fpushengage\u002Fget-plugin-info` via POST.\n        3.  Check if response contains the `user` object.\n\n    *   *Nonce*: Use `X-WP-Nonce` header with a nonce for the `wp_rest` action.\n    *   *How to get the nonce?*\n        Log in as Subscriber, navigate to `\u002Fwp-admin\u002F`, extract `wpApiSettings","The PushEngage plugin registers multiple 'abilities' via the WordPress Abilities API and admin-facing dashboard components that fail to properly enforce high-level permissions. This allows authenticated users with Subscriber-level roles to access sensitive account metadata, including owner emails, plan details, and billing-related IDs (like Stripe IDs) by querying REST API endpoints or viewing admin widgets.","\u002F\u002F app\u002FDashboardWidget.php:41\npublic function dashboard_widget() {\n\t\u002F\u002F Get options from settings\n\t$pushengage_settings = Options::get_site_settings();\n\t$hide_widget = $pushengage_settings['misc']['hideDashboardWidget'];\n\t\u002F\u002F Return if widget is disabled.\n\tif ( $hide_widget ) {\n\t\treturn;\n\t}\n\twp_add_dashboard_widget(\n\t\t'pe-dashboard-widget',\n\t\tesc_html__( 'PushEngage', 'pushengage' ),\n\t\tarray( $this, 'dashboard_widget_callback' ),\n\t\tnull,\n\t\tnull,\n\t\t'normal',\n\t\t'high'\n\t);\n\n---\n\n\u002F\u002F app\u002FWhatsNew.php:52\npublic static function is_showing() {\n\tglobal $pagenow;\n\t$pushengage_settings = Options::get_site_settings();\n\t$disabled  = ArrayHelper::get( $pushengage_settings, 'dismissed_whats_new_notice', false );\n\n\treturn 'plugins.php' === $pagenow && ! $disabled;\n}\n\n---\n\n\u002F\u002F app\u002FIntegrations\u002FAbilities\u002FAbstractRegistrar.php:115\nprotected static function unwrap_envelope( $response, $shape = 'object' ) {\n\t$data = ( is_array( $response ) && isset( $response['data'] ) && is_array( $response['data'] ) )\n\t\t? $response['data']\n\t\t: array();\n\n\tif ( 'rows' !== $shape ) {\n\t\treturn $data;\n\t}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpushengage\u002F4.2.3\u002Fapp\u002FCore.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpushengage\u002F4.2.4\u002Fapp\u002FCore.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpushengage\u002F4.2.3\u002Fapp\u002FCore.php\t2026-05-15 10:46:50.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpushengage\u002F4.2.4\u002Fapp\u002FCore.php\t2026-05-19 12:57:28.000000000 +0000\n@@ -266,14 +266,13 @@\n \t* @return void\n \t*\u002F\n \tpublic function init_admin_options() {\n+\t\tif ( ! current_user_can( 'manage_options' ) || false === $this->is_pushengage_active() ) {\n+\t\t\treturn;\n+\t\t}\n \n \t\t\u002F\u002F Add Meta box when PushEngage site is not connected.\n \t\tadd_action( 'add_meta_boxes', array( $this, 'add_pushengage_site_not_connected_metabox' ) );\n \n-\t\tif ( ! is_user_logged_in() || false === $this->is_pushengage_active() ) {\n-\t\t\treturn;\n-\t\t}\n-\n \t\tadd_action( 'add_meta_boxes', array( $this, 'add_pushengage_settings_metabox' ) );\n \n \t\t\u002F\u002F action hook, to handle the case of draft and schedule post to send notification.\n@@ -747,6 +746,9 @@\n \t * @return void\n \t *\u002F\n \tpublic function load_block_editor_scripts() {\n+\t\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\t\treturn;\n+\t\t}\n \t\t$screen = get_current_screen();\n \t\tif ( ! $screen || ! in_array( $screen->post_type, Options::get_allowed_post_types_for_auto_push(), true ) ) {\n \t\t\treturn;\n\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpushengage\u002F4.2.3\u002Fapp\u002FDashboardWidget.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpushengage\u002F4.2.4\u002Fapp\u002FDashboardWidget.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpushengage\u002F4.2.3\u002Fapp\u002FDashboardWidget.php\t2026-05-15 10:46:50.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpushengage\u002F4.2.4\u002Fapp\u002FDashboardWidget.php\t2026-05-19 12:57:28.000000000 +0000\n@@ -41,6 +41,9 @@\n \t * @return void\n \t *\u002F\n \tpublic function dashboard_widget() {\n+\t\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\t\treturn;\n+\t\t}\n \t\t\u002F\u002F Get options from settings\n \t\t$pushengage_settings = Options::get_site_settings();\n \t\t$hide_widget = $pushengage_settings['misc']['hideDashboardWidget'];\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpushengage\u002F4.2.3\u002Fapp\u002FWhatsNew.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpushengage\u002F4.2.4\u002Fapp\u002FWhatsNew.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpushengage\u002F4.2.3\u002Fapp\u002FWhatsNew.php\t2026-05-15 10:46:50.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fpushengage\u002F4.2.4\u002Fapp\u002FWhatsNew.php\t2026-05-19 12:57:28.000000000 +0000\n@@ -52,7 +52,7 @@\n \t\t$pushengage_settings = Options::get_site_settings();\n \t\t$disabled  = ArrayHelper::get( $pushengage_settings, 'dismissed_whats_new_notice', false );\n \n-\t\treturn 'plugins.php' === $pagenow && ! $disabled;\n+\t\treturn current_user_can( 'manage_options' ) && 'plugins.php' === $pagenow && ! $disabled;\n \t}","The vulnerability is exploitable by an authenticated user with Subscriber-level permissions or higher. An attacker can use a valid REST API nonce (extractable from the WordPress dashboard) to send POST requests to endpoints registered by the Abilities API, such as `\u002Fwp-json\u002Fwp-abilities\u002Fv1\u002Fcall\u002Fpushengage\u002Fget-plugin-info`. Because the `unwrap_envelope` logic in `AbstractRegistrar.php` was incomplete for certain data shapes, and capability checks were insufficient in `Core.php`, the API response would leak the internal PushEngage 'user' envelope. This envelope contains sensitive information including the account owner's email address, active sites, and external payment provider identifiers (e.g., Stripe IDs).","gemini-3-flash-preview","2026-06-26 01:35:54","2026-06-26 01:36:40",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","4.2.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpushengage\u002Ftags\u002F4.2.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpushengage.4.2.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpushengage\u002Ftags\u002F4.2.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fpushengage.4.2.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fpushengage\u002Ftags"]