WordPress Plugin Vulnerabilities
Adminify < 4.2.10 - Contributor+ Sensitive Information Disclosure via Global Search AJAX
Description
The plugin does not perform per-user read-capability checks on the results returned by one of its administration search features, allowing users with a low-privilege role (Contributor) to disclose non-public content that WordPress would not otherwise expose to them, such as other authors' unpublished post titles, pending comment content, the site's plugin inventory, and user account names.
Proof of Concept
Affects Plugins
References
CVE
Classification
Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Vaibhav Narkhede
Submitter
Vaibhav Narkhede
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2026-06-11 (about 21 days ago)
Added
2026-06-11 (about 20 days ago)
Last Updated
2026-06-11 (about 20 days ago)