CVE-2025-11377 - Vulnerability Details

- List category posts <= 0.92.0 - Authenticated (Contributor+) Information Exposure

Description

The List category posts plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 0.92.0 via the 'catlist' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.

Published: 2025-11-01

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The List category posts plugin for WordPress contains an Information Exposure flaw. The vulnerability is tied to the 'catlist' shortcode, where the code fails to enforce proper visibility restrictions, allowing authenticated users with contributor or higher privileges to view posts that are password protected, private, or drafts. This flaw maps to CWE‑200 and lets attackers read content they should not see, potentially leaking confidential or unpublished information.

Affected Systems

The flaw exists in all releases of the fernandobt List category posts plugin up to and including version 0.92.0. WordPress sites that have installed that plugin and have users with contributor-level access are susceptible.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity. The EPSS score of less than 1% signals that exploitation is unlikely at this time, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to authenticate to the WordPress site with at least contributor permissions and then invoke the vulnerable catlist shortcode to enumerate and read posts that are normally hidden. The impact is confined to the data exposure of protected posts, not to code execution or denial of service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

fernandobt

List category posts

unaffected

Version	Status	Constraints
`0`	affected	≤ 0.92.0

No data.

Vendor	Product	Confidence	Versions
Fernandobriano	List Category Posts	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the List category posts plugin to a version newer than 0.92.0 or remove the plugin entirely.
If upgrading is not immediately possible, restrict or remove contributor (and higher) roles from the site, or modify user capabilities to prevent execution of the catlist shortcode.
Disable or restrict usage of the catlist shortcode in the site’s configuration so that only public posts can be queried.

Generated by OpenCVE AI on April 22, 2026 at 12:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00037.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3386680%40list-category-posts&new=3386680%40list-category-posts&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/52666087-3ecc-4901-8902-042179ae97fc?source=cve

History

Mon, 03 Nov 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 03 Nov 2025 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Fernandobriano Fernandobriano list Category Posts Wordpress Wordpress wordpress
Vendors & Products		Fernandobriano Fernandobriano list Category Posts Wordpress Wordpress wordpress

Sat, 01 Nov 2025 04:45:00 +0000

Type	Values Removed	Values Added
Description		The List category posts plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 0.92.0 via the 'catlist' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.
Title		List category posts <= 0.92.0 - Authenticated (Contributor+) Information Exposure
Weaknesses		CWE-200
References		https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3386680%40list-category-posts&new=3386680%40list-category-posts&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/52666087-3ecc-4901-8902-042179ae97fc?source=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Fernandobriano List Category Posts

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-11-01T04:27:40.333Z

Updated: 2026-04-08T16:52:49.591Z

Reserved: 2025-10-06T16:21:36.559Z

Link: CVE-2025-11377

Vulnrichment

Updated: 2025-11-03T20:45:26.343Z

NVD

Status : Deferred

Published: 2025-11-01T05:16:02.037

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11377

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T12:45:17Z

Weaknesses

CWE-200

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object