WordPress Plugin Vulnerabilities

Adminify < 4.2.10 - Contributor+ Sensitive Information Disclosure via Global Search AJAX

Description

The plugin does not perform per-user read-capability checks on the results returned by one of its administration search features, allowing users with a low-privilege role (Contributor) to disclose non-public content that WordPress would not otherwise expose to them, such as other authors' unpublished post titles, pending comment content, the site's plugin inventory, and user account names.

Proof of Concept

Affects Plugins

Fixed in 4.2.10

References

Classification

Type
SENSITIVE DATA DISCLOSURE
CWE
CVSS

Miscellaneous

Original Researcher
Vaibhav Narkhede
Submitter
Vaibhav Narkhede
Verified
Yes

Timeline

Publicly Published
2026-06-11 (about 21 days ago)
Added
2026-06-11 (about 20 days ago)
Last Updated
2026-06-11 (about 20 days ago)

Other