Description
The Authors List plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.6.1 via the via arbitrary method call from Authors_List_Shortcode class. This makes it possible for authenticated attackers, with Contributor-level access and above, to call methods such as get_meta to extract sensitive user data including password hashes, email addresses, usernames, and activation keys via specially crafted shortcode attributes
Published: 2025-11-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive data exposure due to exposed user metadata
Action: Immediate Patch
AI Analysis

Impact

The Authors List plugin for WordPress allows an authenticated attacker with Contributor or higher privileges to craft a shortcode that invokes a private method of the Authors_List_Shortcode class. This method call can retrieve sensitive user information, including password hashes, email addresses, usernames, and activation keys. The flaw is a classic Sensitive Data Exposure bug (CWE‑200) that does not compromise the system itself but leaking information that could be used for credential stuffing or further exploitation.

Affected Systems

WordPress sites that use the Authors List plugin, targeting any release up to and including version 2.0.6.1. Versions prior to 2.0.6.2 are affected; 2.0.6.2 and later include the fix.

Risk and Exploitability

The CVSS score of 6.5 reflects a moderate severity. The EPSS score is below 1%, indicating a very low but non‑zero probability of exploitation in the wild, and the vulnerability is not yet listed in CISA’s KEV catalog. An attacker must be authenticated with Contributor or higher permissions, craft a malicious shortcode payload, and embed it in a post or page to trigger the vulnerable method. Once executed, the attacker can harvest private user metadata.

Generated by OpenCVE AI on April 22, 2026 at 12:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Authors List plugin to version 2.0.6.2 or later, which contains the fix for the method-call vulnerability.
  • If an upgrade cannot be performed immediately, restrict the execution of the authors-list shortcode to users with Administrator role only, or disable the shortcode for Contributor and higher roles using a role-management plugin or a small custom filter.
  • As a temporary protection, remove or replace the Authors List plugin from sites that must remain on older versions and cannot enforce role restrictions, thereby eliminating the vulnerable code path.

Generated by OpenCVE AI on April 22, 2026 at 12:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Wed, 12 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpkube
Wpkube authors List
Vendors & Products Wordpress
Wordpress wordpress
Wpkube
Wpkube authors List

Tue, 11 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Authors List plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.6.1 via the via arbitrary method call from Authors_List_Shortcode class. This makes it possible for authenticated attackers, with Contributor-level access and above, to call methods such as get_meta to extract sensitive user data including password hashes, email addresses, usernames, and activation keys via specially crafted shortcode attributes
Title Authors List <= 2.0.6.1 - Authenticated (Contributor+) Sensitive Information Exposure via Limited Method Call in Plugin's Shortcode
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
Wpkube Authors List
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:52:33.327Z

Reserved: 2025-10-21T12:38:07.051Z

Link: CVE-2025-12010

cve-icon Vulnrichment

Updated: 2025-11-12T16:08:50.349Z

cve-icon NVD

Status : Deferred

Published: 2025-11-11T04:15:45.630

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12010

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:00:09Z

Weaknesses