Skip to main content

Bogo Plugin EUVDEUVD-2026-37983

| CVE-2026-9013 MEDIUM
Missing Authorization (CWE-862)
2026-06-19 Wordfence GHSA-4vf9-6whq-7g9v
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Network-accessible REST endpoint requires only a subscriber account (PR:L); impact is limited to reading private post text fields with no integrity or availability consequence.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 19, 2026 - 06:36 vuln.today
Analysis Generated
Jun 19, 2026 - 06:36 vuln.today
CVE Published
Jun 19, 2026 - 04:31 nvd
MEDIUM 4.3

DescriptionCVE.org

The Bogo plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.1 via the bogo_rest_create_post_translation. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract the raw title, content, excerpt, and password of any private, draft, or password-protected post by triggering its duplication via the translation endpoint and reading the returned title.raw, content.raw, and excerpt.raw fields of the duplicated post. This vulnerability is exploitable against posts written in a non-default locale, as authenticated subscribers can request a translation into the site's default locale to pass the locale-only permission gate. While subscribers can trigger the endpoint, this is only impactful at the Contributor-level as they can actually read the duplicated content.

AnalysisAI

Sensitive information exposure in the Bogo WordPress plugin through version 3.9.1 allows authenticated users with subscriber-level access to extract the raw title, body content, excerpt, and password of any private, draft, or password-protected post by abusing the translation duplication endpoint. The REST API handler bogo_rest_create_post_translation enforced only a locale-access capability check, which all authenticated users can satisfy, and returned raw post field values in the API response without verifying whether the requestor had read or edit rights over the source content. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as WordPress subscriber
Delivery
Identify target post ID in non-default locale (private/draft/password-protected)
Exploit
Send POST to bogo_rest_create_post_translation with target post ID and default locale
Execution
Locale-only capability check passes for default locale
Persist
API duplicates post and returns raw title/content/excerpt fields
Impact
Read sensitive post content from JSON response body

Vulnerability AssessmentAI

Exploitation Requires an authenticated WordPress account at subscriber level or above - unauthenticated exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) accurately reflects network-reachable, low-complexity exploitation requiring only a subscriber account, with limited confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a subscriber-level WordPress account on the target site. They identify a post ID for a private or draft post authored in a non-default site locale (discoverable via enumeration or prior knowledge) and send a POST request to the Bogo REST translation endpoint specifying that post ID and the site's default locale as the target. …
Remediation Update the Bogo plugin to the version containing the fix from GitHub PR #382 and WordPress plugin repository changeset 3574263. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37983 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy