WP Adminify < 4.0.7.8 – Unauthenticated Sensitive Information Exposure via 'get-addons-list' REST API | CVE 2026-1060 | Plugin Vulnerabilities

Description

The WP Adminify plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.7.7 via the /wp-json/adminify/v1/get-addons-list REST API endpoint. The endpoint is registered with permission_callback set to __return_true, allowing unauthenticated attackers to retrieve the complete list of available addons, their installation status, version numbers, and download URLs.

Affects Plugins

Fixed in 4.0.7.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/7ecb4f95-346e-49b3-859f-44f28a72f065

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

ibrahimsql

Verified

No

WPVDB ID

1f8c7f42-dbfc-4bad-be51-72e393b4658b

Timeline

Publicly Published

2026-01-27 (about 4 months ago)

Added

2026-01-28 (about 4 months ago)

Last Updated

2026-01-28 (about 4 months ago)

Other

Published

Title

Published

2024-02-02

Title

LearnDash LMS < 4.10.3 - Sensitive Information Exposure via API

Published

2025-04-16

Title

Mediavine Control Panel < 2.10.7 - Unauthenticated Information Exposure

Published

2024-04-03

Title

Easy Digital Downloads – Sell Digital Files & Subscriptions (eCommerce Store + Payments Made Easy) < 3.2.10 - Sensitive Information Exposure

Published

2025-09-29

Title

Upload.am < 1.0.1 - Contributor+ Arbitrary Option Update

Published

2024-09-24

Title

Community by PeepSo < 6.4.6.1 - Unauthenticated Full Path Disclosure