Skip to main content

Page-list Plugin EUVDEUVD-2026-34939

| CVE-2026-9008 MEDIUM
Missing Authorization (CWE-862)
2026-06-06 Wordfence GHSA-9p43-w7wv-jv6w
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 06, 2026 - 02:28 vuln.today
CVE Published
Jun 06, 2026 - 01:26 nvd
MEDIUM 4.3

DescriptionCVE.org

The Page-list plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.2. This is due to the pagelist_unqprfx_ext_shortcode() function (the [pagelist_ext] / [pagelistext] shortcode) accepting attacker-controlled post_status, post_type, and show_meta_key attributes and passing them directly into get_pages() and get_post_meta() with no capability check verifying that the rendering user is permitted to read the matched objects. When the current post has no child pages, the shortcode re-issues the query with child_of => 0, broadening it to every page on the site matching the supplied status/type. This makes it possible for authenticated attackers, with contributor-level access and above, to disclose the titles, body content/excerpts, and arbitrary post meta of unrelated private and draft pages by inserting the shortcode into a contributor-authored draft and previewing it.

AnalysisAI

Missing authorization in the Page-list WordPress plugin (all versions up to and including 6.2) allows authenticated contributors to read private and draft page content beyond their intended access scope. The [pagelist_ext] shortcode in the pagelist_unqprfx_ext_shortcode() function passes attacker-supplied post_status, post_type, and show_meta_key attributes directly into get_pages() and get_post_meta() with no capability check, and a critical amplification trigger - when no child pages exist, the query falls back to child_of => 0, broadening scope to every matching page on the entire site. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and straightforward exploitation path via shortcode injection make this a meaningful insider-threat risk on sites with sensitive unpublished content.

Technical ContextAI

The vulnerability class is CWE-862 (Missing Authorization), a failure to verify that the authenticated user possesses the capability required to access the queried objects. The Page-list plugin by webvitaly (CPE: cpe:2.3:a:webvitaly:page-list:*:*:*:*:*:*:*:*) exposes the [pagelist_ext] and [pagelistext] shortcodes, which invoke pagelist_unqprfx_ext_shortcode(). This function accepts user-controlled shortcode attributes and passes them without sanitization or authorization gating into WordPress core functions get_pages() (which retrieves posts/pages by status and type) and get_post_meta() (which fetches arbitrary meta fields). WordPress's own capability model - which gates reading private posts behind the read_private_pages capability, a permission contributors do not hold - is entirely bypassed because the plugin never calls current_user_can() before executing these queries. The fallback to child_of => 0 when no child pages are found, as seen in source references at lines 301, 303, and 383 of page-list.php, transforms what might be a narrow disclosure into a site-wide enumeration primitive.

RemediationAI

An upstream fix has been committed to the WordPress plugin SVN repository, as evidenced by the trac changeset reference (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3552931%40page-list&new=3552931%40page-list); however, the specific patched release version number is not confirmed from the available data - administrators should update to the latest available version via the WordPress admin Plugins dashboard and verify the installed version exceeds 6.2. As an immediate compensating control, administrators should audit and restrict contributor-level account access, particularly on sites where registration is open or lightly moderated, since the vulnerability requires at minimum a contributor account to exploit. If the [pagelist_ext] or [pagelistext] shortcode is not actively used in published content workflows, it can be functionally disabled by blocking shortcode execution through a must-use plugin or security plugin shortcode filter - note that this will break any existing pages or drafts that rely on the shortcode for page-listing functionality. Restricting preview capabilities for contributors is not a reliable mitigation since the vulnerability is triggered during the preview rendering phase itself.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

EUVD-2026-34939 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy