CVE-2026-12434
Received Received - Intake

Sensitive Information Exposure in List Category Posts WordPress Plugin

Vulnerability report for CVE-2026-12434, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: Wordfence

Description

The List category posts plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 0.95.0 via the sanitize_status. This makes it possible for authenticated attackers, with contributor-level access and above, to extract titles, full content, excerpts, dates, authors, and custom-field metadata of other users' pending-review, scheduled, and trashed posts by embedding a crafted [catlist] shortcode in their own draft and previewing it. This vulnerability is a bypass of the incomplete fix introduced for CVE-2025-11377 in version 0.93.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wordpressextensions list_category_posts to 0.95.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The List category posts plugin for WordPress has a flaw in versions up to 0.95.0 that allows authenticated attackers with contributor-level access or higher to view sensitive information from other users' posts. This includes titles, full content, excerpts, dates, authors, and custom-field metadata of posts in pending-review, scheduled, or trashed status. The issue arises from improper sanitization in the sanitize_status function, enabling attackers to exploit a crafted shortcode to access this data.

Impact Analysis

If you use this WordPress plugin, attackers could steal sensitive content from your drafts, scheduled, or trashed posts without needing high-level access. This could lead to data leaks, unauthorized access to unpublished work, or exposure of confidential information before it is intended for public release.

Compliance Impact

This vulnerability could lead to non-compliance with GDPR or HIPAA by exposing sensitive personal or health-related data stored in drafts or scheduled posts. Unauthorized access to such data may result in legal penalties, reputational damage, and failure to meet regulatory requirements for data protection and confidentiality.

Detection Guidance

To detect this vulnerability, review WordPress sites using the List category posts plugin versions up to 0.95.0. Check for unauthorized access to draft, pending-review, scheduled, or trashed posts by contributors or higher-level users. Inspect shortcode usage in posts for crafted [catlist] entries.

Mitigation Strategies
  • Update the List category posts plugin to the latest version immediately to patch the vulnerability.
  • Remove or restrict contributor-level access to sensitive posts until the update is applied.
  • Audit recent post changes for unauthorized modifications or data exposure.
Compliance Impact

This vulnerability could lead to non-compliance with GDPR or HIPAA by exposing sensitive personal or health-related data stored in drafts or pending posts. Unauthorized access to such data violates confidentiality requirements and may result in legal penalties or reputational damage.

Executive Summary

The List category posts plugin for WordPress has a flaw in versions up to 0.95.0 that allows authenticated attackers with contributor-level access or higher to view sensitive information from other users' posts. This includes titles, full content, excerpts, dates, authors, and custom-field metadata of posts in pending-review, scheduled, or trashed status. The issue arises from improper sanitization in the sanitize_status function, enabling attackers to exploit a crafted shortcode to access this data.

Impact Analysis

If you use this WordPress plugin, attackers could steal sensitive content from your drafts, scheduled, or trashed posts without needing high-level access. This could lead to data leaks, unauthorized access to unpublished work, or exposure of confidential information before it is intended for public release.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12434. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart