Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Network-accessible shortcode rendering with low complexity; contributor account required (PR:L); confidentiality-only impact on non-public post data, no integrity or availability effect.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The List category posts plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 0.95.0 via the sanitize_status. This makes it possible for authenticated attackers, with contributor-level access and above, to extract titles, full content, excerpts, dates, authors, and custom-field metadata of other users' pending-review, scheduled, and trashed posts by embedding a crafted [catlist] shortcode in their own draft and previewing it. This vulnerability is a bypass of the incomplete fix introduced for CVE-2025-11377 in version 0.93.0.
AnalysisAI
Sensitive information exposure in the List Category Posts WordPress plugin (all versions through 0.95.0) allows authenticated contributors to read non-public posts belonging to other users - including pending-review, scheduled, and trashed content with full body text, excerpts, authors, and custom-field metadata. Exploitation requires only a contributor-level account and the ability to embed the native [catlist] shortcode in a draft post, then preview it, triggering the flawed sanitize_status logic. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a contributor-level WordPress account (or any higher role) on the target site, which is a non-default trust grant. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) is consistent with the actual threat model: network-accessible, low complexity, but requiring a legitimate contributor account, and limited to confidentiality impact only. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a contributor-level account on a multi-author WordPress site creates a new draft post and inserts a [catlist] shortcode specifying a post_status of 'pending' or 'future' targeting a specific category. Upon previewing the draft, WordPress renders the shortcode server-side, and the plugin's sanitize_status function fails to enforce access controls, returning the full titles, body content, custom-field metadata, and authorship details of other users' non-public posts directly in the attacker's browser preview. … |
| Remediation | A source-level fix has been committed to the plugin's Subversion repository as changeset 3598587 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3598587%40list-category-posts&new=3598587%40list-category-posts); however, a tagged release version incorporating this fix is not confirmed in the available data, so administrators should monitor the WordPress.org plugin page for a version above 0.95.0 and upgrade as soon as it is published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in List Category Posts
View allThe List category posts WordPress plugin (versions through 0.93.1) contains a DOM-based cross-site scripting (XSS) vulne
The List category posts WordPress plugin before 0.90.3 does not validate and escape some of its shortcode attributes bef
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44856
GHSA-w939-c8qp-6hm2