CVE-2026-4338

Description

The ActivityPub WordPress plugin before 8.0.2 does not properly filter posts to be displayed, allowed unauthenticated users to access drafts/scheduled/pending posts

PUBLISHED Reserved 2026-03-17 | Published 2026-04-08 | Updated 2026-04-08 | Assigner WPScan

Problem types

CWE-200 Information Exposure

Product status

Credits

ryuk (kos0ng) finder

WPScan coordinator

References

wpscan.com/...rability/50f68395-72fc-4f99-8e6d-6aa90cc640b5/ exploit vdb-entry technical-description

cve.org (CVE-2026-4338)

nvd.nist.gov (CVE-2026-4338)

Download JSON