CVE-2026-9008

June 6, 2026, 2:16 a.m.

4.3
Medium

Description

The Page-list plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.2. This is due to the pagelist_unqprfx_ext_shortcode() function (the [pagelist_ext] / [pagelistext] shortcode) accepting attacker-controlled post_status, post_type, and show_meta_key attributes and passing them directly into get_pages() and get_post_meta() with no capability check verifying that the rendering user is permitted to read the matched objects. When the current post has no child pages, the shortcode re-issues the query with child_of => 0, broadening it to every page on the site matching the supplied status/type. This makes it possible for authenticated attackers, with contributor-level access and above, to disclose the titles, body content/excerpts, and arbitrary post meta of unrelated private and draft pages by inserting the shortcode into a contributor-authored draft and previewing it.

Product(s) Impacted

Vendor Product Versions
Wordpress
  • Page-list
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a wordpress page-list / / / / / wordpress / /

References

https://plugins.trac.wordpress.org/browser/page-list/tags/5.9/page-list.php#L188
https://plugins.trac.wordpress.org/browser/page-list/tags/5.9/page-list.php#L301
https://plugins.trac.wordpress.org/browser/page-list/tags/5.9/page-list.php#L303
https://plugins.trac.wordpress.org/browser/page-list/tags/5.9/page-list.php#L383
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3552931%40page-list&new=3552931%40page-list&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/22defe19-28ac-43b3-814d-5a2038380adb?source=cve

Tags

[email protected]
CWE-862
2026-06-06
CVE-2026-9008

CVSS Score

4.3 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

    View Vector String

Timeline

Published: June 6, 2026, 2:16 a.m.
Last Modified: June 6, 2026, 2:16 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.