{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39686", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:58:10.483Z", "datePublished": "2026-04-08T08:30:43.188Z", "dateUpdated": "2026-04-08T15:05:03.158Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "bsk-pdf-manager", "product": "BSK PDF Manager", "vendor": "bannersky", "versions": [{"lessThanOrEqual": "3.7.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Doan Dinh Van | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:42.886Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in bannersky BSK PDF Manager bsk-pdf-manager allows Retrieve Embedded Sensitive Data.<p>This issue affects BSK PDF Manager: from n/a through <= 3.7.2.</p>"}], "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in bannersky BSK PDF Manager bsk-pdf-manager allows Retrieve Embedded Sensitive Data.This issue affects BSK PDF Manager: from n/a through <= 3.7.2."}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-497", "description": "Exposure of Sensitive System Information to an Unauthorized Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:43.188Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/bsk-pdf-manager/vulnerability/wordpress-bsk-pdf-manager-plugin-3-7-2-sensitive-data-exposure-vulnerability?_s_id=cve"}], "title": "WordPress BSK PDF Manager plugin <= 3.7.2 - Sensitive Data Exposure vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T15:04:50.381066Z", "id": "CVE-2026-39686", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:05:03.158Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39686", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T15:04:50.381066Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:00:56.419Z"}}], "cna": {"title": "WordPress BSK PDF Manager plugin <= 3.7.2 - Sensitive Data Exposure vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Doan Dinh Van | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "affected": [{"vendor": "bannersky", "product": "BSK PDF Manager", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "3.7.2"}], "packageName": "bsk-pdf-manager", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:42.886Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/bsk-pdf-manager/vulnerability/wordpress-bsk-pdf-manager-plugin-3-7-2-sensitive-data-exposure-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in bannersky BSK PDF Manager bsk-pdf-manager allows Retrieve Embedded Sensitive Data.This issue affects BSK PDF Manager: from n/a through <= 3.7.2.", "supportingMedia": [{"type": "text/html", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in bannersky BSK PDF Manager bsk-pdf-manager allows Retrieve Embedded Sensitive Data.<p>This issue affects BSK PDF Manager: from n/a through <= 3.7.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-497", "description": "Exposure of Sensitive System Information to an Unauthorized Control Sphere"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:43.188Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39686", "state": "PUBLISHED", "dateUpdated": "2026-04-08T15:05:03.158Z", "dateReserved": "2026-04-07T10:58:10.483Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:43.188Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in bannersky BSK PDF Manager bsk-pdf-manager allows Retrieve Embedded Sensitive Data.This issue affects BSK PDF Manager: from n/a through <= 3.7.2."}], "id": "CVE-2026-39686", "lastModified": "2026-04-08T21:26:13.410", "metrics": {}, "published": "2026-04-08T09:16:40.530", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/bsk-pdf-manager/vulnerability/wordpress-bsk-pdf-manager-plugin-3-7-2-sensitive-data-exposure-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-497"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.7.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "BSK PDF Manager", "source": "cna", "vendor": "bannersky"}, "product": "bsk_pdf_manager", "vendor": "bannersky"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:31:35.969269+00:00", "value": {"mitigation_remediation": ["Upgrade the BSK PDF Manager plugin to a version newer than 3.7.2.", "If an upgrade is not immediately possible, disable or remove the plugin from the WordPress installation.", "Verify that the plugin files and any associated URLs are not publicly accessible via the web server.", "Apply any vendor advisories or patches released in response to this vulnerability.", "Post-upgrade, review access logs for any suspicious activity that may have occurred before the patch was applied."], "summary": {"action": "Immediate Patch", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "The affected product is the bannersky BSK PDF Manager WordPress plugin, versions up through 3.7.2. No other version information is disclosed. Any WordPress site using the plugin at or below that version is at risk.", "description_and_impact": "The WordPress BSK PDF Manager plugin has a vulnerability that permits an attacker to retrieve embedded sensitive data from the plugin, exposing confidential system information. The flaw stems from improper access control enforcement and is classified as CWE-497, which involves missing authorization checks. The result is that confidential data may be accessed by unauthorized parties, potentially compromising confidentiality and violating data protection requirements.", "risk_and_exploitability": "The CVSS or EPSS scores are not provided, but given the nature of the vulnerability it presents a high risk because any external user can potentially gather sensitive data. The likely attack vector is through the plugin\u2019s publicly accessible endpoints. No authentication appears to be required, so the vulnerability can be exploited by anyone who can reach the WordPress site. The absence of a KEV listing merely indicates it has not yet been added to the CISA catalog, but does not reduce the threat."}}}}, "created": "2026-04-08T19:27:48.665781+00:00", "updated": "2026-04-08T19:40:34.713957+00:00", "vendors": ["bannersky", "bannersky$PRODUCT$bsk_pdf_manager", "wordpress", "wordpress$PRODUCT$wordpress"]}