CVE-2026-9008
Received Received - Intake
Page-list WordPress Plugin Missing Authorization to Unauthorized Page Data Exposure

Publication date: 2026-06-06

Last updated on: 2026-06-06

Assigner: Wordfence

Description
The Page-list plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.2. This is due to the pagelist_unqprfx_ext_shortcode() function (the [pagelist_ext] / [pagelistext] shortcode) accepting attacker-controlled post_status, post_type, and show_meta_key attributes and passing them directly into get_pages() and get_post_meta() with no capability check verifying that the rendering user is permitted to read the matched objects. When the current post has no child pages, the shortcode re-issues the query with child_of => 0, broadening it to every page on the site matching the supplied status/type. This makes it possible for authenticated attackers, with contributor-level access and above, to disclose the titles, body content/excerpts, and arbitrary post meta of unrelated private and draft pages by inserting the shortcode into a contributor-authored draft and previewing it.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-06
Last Modified
2026-06-06
Generated
2026-06-06
AI Q&A
2026-06-06
EPSS Evaluated
N/A
NVD
CVE-2026-9008
EUVD
EUVD-2026-34939
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
page_list page-list to 6.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The vulnerability exists in the Page-list plugin for WordPress, affecting all versions up to and including 6.2. It is caused by the pagelist_unqprfx_ext_shortcode() function, which processes the [pagelist_ext] and [pagelistext] shortcodes. This function accepts attacker-controlled attributes such as post_status, post_type, and show_meta_key and passes them directly into WordPress functions get_pages() and get_post_meta() without verifying if the user has permission to access the requested content.

When the current post has no child pages, the shortcode broadens its query to include every page on the site matching the supplied status and type. This allows authenticated users with contributor-level access or higher to disclose titles, body content, excerpts, and arbitrary post meta of unrelated private and draft pages by inserting the shortcode into a draft they authored and previewing it.


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized disclosure of sensitive content on a WordPress site. Specifically, attackers with contributor-level access or above can view private and draft pages that they should not have permission to see. This includes titles, body content, excerpts, and arbitrary metadata of unrelated pages.

Such unauthorized access can compromise the confidentiality of unpublished or private information, potentially exposing sensitive or confidential data to unauthorized users.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows authenticated attackers with contributor-level access to disclose titles, body content/excerpts, and arbitrary post meta of unrelated private and draft pages. Such unauthorized disclosure of potentially sensitive or private information could lead to non-compliance with data protection regulations like GDPR or HIPAA, which require strict controls on access to personal or sensitive data.

Because the vulnerability involves missing authorization checks that permit data exposure beyond intended permissions, organizations using the affected plugin may risk violating confidentiality and data protection requirements mandated by these standards.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart