WordPress Plugin Vulnerabilities

ActivityPub Routing < 8.0.2 - Unauthenticated Drafts/Scheduled/Pending Posts Disclosure

Description

The plugin does not properly filter posts to be displayed, allowed unauthenticated users to access drafts/scheduled/pending posts

Proof of Concept

Affects Plugins

Plugin icon
activitypub
Fixed in 8.0.2

References

CVE
CVE-2026-4338

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
7.5 (high)

Miscellaneous

Original Researcher
ryuk (kos0ng)
Submitter
Jeremy Herve
Submitter website
https://kos0ng.gitbook.io/ctfs/
Submitter twitter
_ryuk12345
Verified
Yes
WPVDB ID
50f68395-72fc-4f99-8e6d-6aa90cc640b5

Timeline

Publicly Published
2026-03-18 (about 21 days ago)
Added
2026-03-18 (about 20 days ago)
Last Updated
2026-03-18 (about 20 days ago)

Other

Published
Title
Published
2026-02-18
Title
WP Front User Submit < 5.0.6 - Unauthenticated Sensitive Information Exposure
Published
2025-09-03
Title
Klarna Order Management for WooCommerce < 1.9.9 - Shop Manager+ Information Disclosure
Published
2026-03-20
Title
e-shot <= 1.0.2 - Subscriber+ API Token Disclosure
Published
2025-05-30
Title
WooCommerce Orders & Customers Exporter <= 5.0 - Authenticated (Subscriber+) Information Exposure
Published
2023-10-18
Title
Popup by Supsystic < 1.10.20 - Missing Authorization to Sensitive Information Exposure