WordPress Plugin Vulnerabilities

ActivityPub Routing < 8.0.2 - Unauthenticated Drafts/Scheduled/Pending Posts Disclosure

Description

The plugin does not properly filter posts to be displayed, allowed unauthenticated users to access drafts/scheduled/pending posts

Proof of Concept

Affects Plugins

Plugin icon
activitypub
Fixed in 8.0.2

References

CVE
CVE-2026-4338

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
7.5 (high)

Miscellaneous

Original Researcher
ryuk (kos0ng)
Submitter
Jeremy Herve
Submitter website
https://kos0ng.gitbook.io/ctfs/
Submitter twitter
_ryuk12345
Verified
Yes
WPVDB ID
50f68395-72fc-4f99-8e6d-6aa90cc640b5

Timeline

Publicly Published
2026-03-18 (about 1 month ago)
Added
2026-03-18 (about 1 month ago)
Last Updated
2026-03-18 (about 1 month ago)

Other

Published
Title
Published
2024-06-20
Title
Newspack Blocks < 3.0.9 - Unauthenticated Sensitive Information Exposure
Published
2026-02-02
Title
Tutor LMS < 3.9.6 - Authenticated (Subscriber+) Information Disclosure in Coupon Details via 'tutor_coupon_details' AJAX Action
Published
2025-05-16
Title
Wishlist <= 2.1.0 - Authenticated (Subscriber+) Information Exposure
Published
2024-12-19
Title
Page Restriction WordPress (WP) – Protect WP Pages/Post < 1.3.7 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Published
2020-07-30
Title
JetBackup < 1.4.1 - Subscriber+ Sensitive Information Disclosure