CVE-2026-4338
Received Received - Intake
Unauthorized Access in ActivityPub WordPress Plugin Allows Draft Exposure

Publication date: 2026-04-08

Last updated on: 2026-04-14

Assigner: WPScan

Description
The ActivityPub WordPress plugin before 8.0.2 does not properly filter posts to be displayed, allowed unauthenticated users to access drafts/scheduled/pending posts
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4338
EUVD
EUVD-2026-20058
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
automattic activitypub to 8.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthenticated users to access drafts, scheduled, or pending posts that should be unpublished, resulting in unauthorized disclosure of sensitive data.

Such unauthorized disclosure of sensitive data can lead to non-compliance with common data protection standards and regulations like GDPR and HIPAA, which require proper protection and confidentiality of personal and sensitive information.

Because the vulnerability corresponds to CWE-200 (Sensitive Data Exposure) and is classified under OWASP Top 10 category A3, it highlights a failure to adequately protect sensitive data, which is a key requirement in these regulations.

Executive Summary

CVE-2026-4338 is a vulnerability in the ActivityPub Routing WordPress plugin versions before 8.0.2. The plugin does not properly filter posts that are drafts, scheduled, or pending, which allows unauthenticated users to access these unpublished posts.

This means that anyone, even without logging in, can view sensitive content that was not meant to be publicly available yet by exploiting specific URL parameters.

The vulnerability is classified as a Sensitive Data Disclosure issue (CWE-200) and is considered high severity with a CVSS score of 7.5.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive or unpublished content on your WordPress site.

Attackers can view draft, scheduled, or pending posts without authentication, potentially exposing confidential information, internal communications, or other sensitive data before it is intended to be public.

Such exposure can damage your organization's reputation, lead to information leaks, and possibly aid further attacks.

Detection Guidance

This vulnerability can be detected by attempting to access draft, scheduled, or pending posts without authentication using specific URL query parameters.

For example, you can test if your WordPress site with the ActivityPub Routing plugin is vulnerable by accessing a URL similar to: https://example.com/?p=26&activitypub=1&preview=1

If the draft or pending post is displayed without requiring login, the system is vulnerable.

No specific command-line tools or network scanning commands are provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to update the ActivityPub Routing WordPress plugin to version 8.0.2 or later, where this vulnerability has been fixed.

Until the update is applied, restrict access to unpublished posts by limiting unauthenticated access to the site or disabling the plugin temporarily if possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4338. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart