CVE-2026-11781
Received Received - Intake

Information Disclosure in Adminify WordPress Plugin

Vulnerability report for CVE-2026-11781, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: WPScan

Description

The Adminify WordPress plugin before 4.2.10 does not perform per-user read-capability checks on the results returned by one of its administration search features, allowing users with a low-privilege role (Contributor) to disclose non-public content that WordPress would not otherwise expose to them, such as other authors' unpublished post titles, pending comment content, the site's Adminify WordPress plugin before 4.2.10 inventory, and user account names.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
adminify wordpress_plugin to 4.2.10 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Adminify WordPress plugin before version 4.2.10 contains a vulnerability that allows users with a low-privilege role, such as Contributor, to access sensitive information they normally should not see.

This happens because the plugin does not perform proper per-user read-capability checks on the results returned by one of its administration search features. As a result, these users can disclose non-public content including unpublished post titles by other authors, pending comment content, the plugin's inventory details, and user account names.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information to users with low privileges, such as Contributors.

  • Exposure of unpublished post titles from other authors.
  • Access to pending comment content that is not yet public.
  • Disclosure of the Adminify plugin inventory details.
  • Exposure of user account names.

Such information disclosure could lead to privacy concerns, potential information leakage, and could aid attackers in further exploiting the site.

Detection Guidance

This vulnerability can be detected by attempting to exploit the global search AJAX feature of the Adminify WordPress plugin prior to version 4.2.10 using a user account with Contributor role privileges.

A proof of concept involves logging in as a Contributor and performing searches that return non-public content such as unpublished post titles, pending comments, plugin inventory details, or user account names that should normally be restricted.

Specific commands are not provided in the available resources, but detection involves verifying if low-privilege users can access sensitive data through the plugin's search mechanism.

Mitigation Strategies

The immediate mitigation step is to update the Adminify WordPress plugin to version 4.2.10 or later, where the vulnerability has been fixed.

Until the update can be applied, restrict Contributor role users from accessing the plugin's global search AJAX feature or disable the plugin if possible to prevent sensitive data disclosure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11781. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart