CVE-2026-4338
Unauthorized Access in ActivityPub WordPress Plugin Allows Draft Exposure
Publication date: 2026-04-08
Last updated on: 2026-04-14
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| automattic | activitypub | to 8.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4338 is a vulnerability in the ActivityPub Routing WordPress plugin versions before 8.0.2. The plugin does not properly filter posts that are drafts, scheduled, or pending, which allows unauthenticated users to access these unpublished posts.
This means that anyone, even without logging in, can view sensitive content that was not meant to be publicly available yet by exploiting specific URL parameters.
The vulnerability is classified as a Sensitive Data Disclosure issue (CWE-200) and is considered high severity with a CVSS score of 7.5.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive or unpublished content on your WordPress site.
Attackers can view draft, scheduled, or pending posts without authentication, potentially exposing confidential information, internal communications, or other sensitive data before it is intended to be public.
Such exposure can damage your organization's reputation, lead to information leaks, and possibly aid further attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access draft, scheduled, or pending posts without authentication using specific URL query parameters.
For example, you can test if your WordPress site with the ActivityPub Routing plugin is vulnerable by accessing a URL similar to: https://example.com/?p=26&activitypub=1&preview=1
If the draft or pending post is displayed without requiring login, the system is vulnerable.
No specific command-line tools or network scanning commands are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the ActivityPub Routing WordPress plugin to version 8.0.2 or later, where this vulnerability has been fixed.
Until the update is applied, restrict access to unpublished posts by limiting unauthenticated access to the site or disabling the plugin temporarily if possible.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated users to access drafts, scheduled, or pending posts that should be unpublished, resulting in unauthorized disclosure of sensitive data.
Such unauthorized disclosure of sensitive data can lead to non-compliance with common data protection standards and regulations like GDPR and HIPAA, which require proper protection and confidentiality of personal and sensitive information.
Because the vulnerability corresponds to CWE-200 (Sensitive Data Exposure) and is classified under OWASP Top 10 category A3, it highlights a failure to adequately protect sensitive data, which is a key requirement in these regulations.