CVE-2026-9008
4.3 MEDIUMThe Page-list plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.2
Published: 2026-06-06 · Last updated: 2026-06-08
Severity and scoring
- CVSS
- 4.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- CWE
- CWE-862
Description
The Page-list plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.2. This is due to the pagelist_unqprfx_ext_shortcode() function (the [pagelist_ext] / [pagelistext] shortcode) accepting attacker-controlled post_status, post_type, and show_meta_key attributes and passing them directly into get_pages() and get_post_meta() with no capability check verifying that the rendering user is permitted to read the matched objects. When the current post has no child pages, the shortcode re-issues the query with child_of => 0, broadening it to every page on the site matching the supplied status/type. This makes it possible for authenticated attackers, with contributor-level access and above, to disclose the titles, body content/excerpts, and arbitrary post meta of unrelated private and draft pages by inserting the shortcode into a contributor-authored draft and previewing it.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-9008
- [Other]https://plugins.trac.wordpress.org/browser/page-list/tags/5.9/page-list.php#L188
- [Other]https://plugins.trac.wordpress.org/browser/page-list/tags/5.9/page-list.php#L301
- [Other]https://plugins.trac.wordpress.org/browser/page-list/tags/5.9/page-list.php#L303
- [Other]https://plugins.trac.wordpress.org/browser/page-list/tags/5.9/page-list.php#L383
- [Other]https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3552931%40page-list&new=3552931%40page-list&sfp_email=&sfph_mail=
- [Other]https://www.wordfence.com/threat-intel/vulnerabilities/id/22defe19-28ac-43b3-814d-5a2038380adb?source=cve
Related CVEs
Same CWE
- CVE-2026-46645 — SQLAdmin is a flexible Admin interface for SQLAlchemy models (4.3 MEDIUM)
- CVE-2026-53634 — Sharp is a content management framework built for Laravel as a package (4.3 MEDIUM)
- CVE-2026-0272 — A privilege escalation vulnerability in Palo Alto Networks PAN-OS® software allows an authenticated administrator with access to the Comm...
- CVE-2026-49822 — Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes (7.7 HIGH)
- CVE-2026-49821 — Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes (7.7 HIGH)