Description
The Page-list plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.2. This is due to the pagelist_unqprfx_ext_shortcode() function (the [pagelist_ext] / [pagelistext] shortcode) accepting attacker-controlled post_status, post_type, and show_meta_key attributes and passing them directly into get_pages() and get_post_meta() with no capability check verifying that the rendering user is permitted to read the matched objects. When the current post has no child pages, the shortcode re-issues the query with child_of => 0, broadening it to every page on the site matching the supplied status/type. This makes it possible for authenticated attackers, with contributor-level access and above, to disclose the titles, body content/excerpts, and arbitrary post meta of unrelated private and draft pages by inserting the shortcode into a contributor-authored draft and previewing it.
Published: 2026-06-06
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Page-list plugin for WordPress suffers from a missing authorization flaw that allows authenticated users with contributor or higher roles to inject attacker‑controlled attributes into the [pagelist_ext] and [pagelistext] shortcodes. Because the shortcode handler passes those attributes directly to the core page‑retrieval and metadata functions, the plugin renders titles, content or excerpts and arbitrary post meta from any page that matches the supplied criteria. The flaw has no user‑level capability check, enabling a contributor to reveal private or draft pages of other authors when they insert and preview the shortcode in a draft.

Affected Systems

The vulnerability affects every installation of the Page‑list plugin for WordPress whose version is 6.2 or earlier. The plugin is distributed via the WordPress Plugin Repository under the name Page‑list. All core WordPress sites that allow contributors to edit content and embed shortcodes are impacted.

Risk and Exploitability

The CVSS score of 4.3 indicates a medium severity under the current scoring schema, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. The attack surface requires that the user has contributor or higher privileges and the ability to edit or preview a draft post. Once those conditions are met, the attacker can observe sensitive page content and metadata, effectively compromising confidentiality across the site.

Generated by OpenCVE AI on June 6, 2026 at 03:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Page‑list plugin to the latest release, which removes the unchecked shortcode attributes.
  • If an upgrade cannot be performed immediately, disable the [pagelist_ext] and [pagelistext] shortcodes for contributor and lower roles or configure the plugin to require a higher capability before rendering.
  • Review and remove any existing draft posts or pages that contain the vulnerable shortcodes to prevent accidental disclosure.

Generated by OpenCVE AI on June 6, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 06 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Description The Page-list plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.2. This is due to the pagelist_unqprfx_ext_shortcode() function (the [pagelist_ext] / [pagelistext] shortcode) accepting attacker-controlled post_status, post_type, and show_meta_key attributes and passing them directly into get_pages() and get_post_meta() with no capability check verifying that the rendering user is permitted to read the matched objects. When the current post has no child pages, the shortcode re-issues the query with child_of => 0, broadening it to every page on the site matching the supplied status/type. This makes it possible for authenticated attackers, with contributor-level access and above, to disclose the titles, body content/excerpts, and arbitrary post meta of unrelated private and draft pages by inserting the shortcode into a contributor-authored draft and previewing it.
Title Page-list <= 6.2 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Disclosure via Shortcode Attributes
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-06T01:26:08.984Z

Reserved: 2026-05-19T14:06:40.464Z

Link: CVE-2026-9008

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-06T02:16:22.683

Modified: 2026-06-06T02:16:22.683

Link: CVE-2026-9008

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T04:00:15Z

Weaknesses