The WP Adminify plugin exposes sensitive information through an unauthenticated REST API endpoint. The /wp-json/adminify/v1/get-addons-list call returns a full list of available addons, including installation status, version numbers, and download URLs. The vulnerability arises because the endpoint’s permission callback is set to __return_true, meaning it bypasses any authentication checks and permits any external user to harvest plugin metadata without credentials.

WordPress sites that have the WP Adminify plugin installed in any version up to and including 4.0.7.7. The plugin is distributed under the name "WP Adminify – White Label WordPress, Admin Menu Editor, Login Customizer" and is commonly used by site owners who want to customize the WordPress admin interface. Because the plugin is bundled with this name, administrators should verify the plugin version on their sites and consider any version that has not been patched to 4.0.8 or newer as vulnerable.

This vulnerability carries a CVSS score of 5.3, indicating moderate severity. EPSS indicates a very low exploitation probability (<1%), suggesting that attackers may not aggressively target this weakness, yet the lack of authentication still allows malicious actors to enumerate plugin capabilities. The vulnerability is not currently listed in the CISA KEV catalog. Attackers could leverage the exposed information to identify potentially outdated addons, download URLs, or plan further exploitation of the WordPress environment, especially if other misconfigurations exist. No specific environmental prerequisites are mentioned, so an unauthenticated attacker with network access to the WordPress REST API can exploit it.