Skip to main content

List Category Posts CVE-2026-12434

| EUVDEUVD-2026-44856 MEDIUM
Missing Authorization (CWE-862)
2026-07-16 Wordfence GHSA-w939-c8qp-6hm2
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Network-accessible shortcode rendering with low complexity; contributor account required (PR:L); confidentiality-only impact on non-public post data, no integrity or availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 03:45 vuln.today
CVE Published
Jul 16, 2026 - 02:30 cve.org
MEDIUM 4.3

DescriptionCVE.org

The List category posts plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 0.95.0 via the sanitize_status. This makes it possible for authenticated attackers, with contributor-level access and above, to extract titles, full content, excerpts, dates, authors, and custom-field metadata of other users' pending-review, scheduled, and trashed posts by embedding a crafted [catlist] shortcode in their own draft and previewing it. This vulnerability is a bypass of the incomplete fix introduced for CVE-2025-11377 in version 0.93.0.

AnalysisAI

Sensitive information exposure in the List Category Posts WordPress plugin (all versions through 0.95.0) allows authenticated contributors to read non-public posts belonging to other users - including pending-review, scheduled, and trashed content with full body text, excerpts, authors, and custom-field metadata. Exploitation requires only a contributor-level account and the ability to embed the native [catlist] shortcode in a draft post, then preview it, triggering the flawed sanitize_status logic. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain contributor-level WordPress account
Delivery
Craft [catlist] shortcode targeting pending/future/trash status
Exploit
Embed shortcode in personal draft post
Execution
Trigger preview rendering server-side
Persist
Receive non-public post content in preview response
Impact
Exfiltrate titles, content, and metadata

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a contributor-level WordPress account (or any higher role) on the target site, which is a non-default trust grant. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) is consistent with the actual threat model: network-accessible, low complexity, but requiring a legitimate contributor account, and limited to confidentiality impact only. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a contributor-level account on a multi-author WordPress site creates a new draft post and inserts a [catlist] shortcode specifying a post_status of 'pending' or 'future' targeting a specific category. Upon previewing the draft, WordPress renders the shortcode server-side, and the plugin's sanitize_status function fails to enforce access controls, returning the full titles, body content, custom-field metadata, and authorship details of other users' non-public posts directly in the attacker's browser preview. …
Remediation A source-level fix has been committed to the plugin's Subversion repository as changeset 3598587 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3598587%40list-category-posts&new=3598587%40list-category-posts); however, a tagged release version incorporating this fix is not confirmed in the available data, so administrators should monitor the WordPress.org plugin page for a version above 0.95.0 and upgrade as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12434 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy