Description
The Bogo plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.1 via the bogo_rest_create_post_translation. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract the raw title, content, excerpt, and password of any private, draft, or password-protected post by triggering its duplication via the translation endpoint and reading the returned title.raw, content.raw, and excerpt.raw fields of the duplicated post. This vulnerability is exploitable against posts written in a non-default locale, as authenticated subscribers can request a translation into the site's default locale to pass the locale-only permission gate. While subscribers can trigger the endpoint, this is only impactful at the Contributor-level as they can actually read the duplicated content.
Published: 2026-06-19
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Bogo plugin for WordPress is vulnerable to sensitive information exposure in all versions up to 3.9.1 through the bogo_rest_create_post_translation endpoint. Authenticated users with subscriber level or higher can trigger a duplication of a private, draft, or password‑protected post via the translation endpoint. The response contains fields such as title.raw, content.raw, and excerpt.raw, which expose the original raw title, content, excerpt, and password of the post. This weakness is a missing authorization flaw (CWE‑862). The impact is the disclosure of confidential post data to any authenticated subscriber or higher user, which can compromise confidentiality and potentially integrity if the data is later edited.

Affected Systems

WordPress sites that use the Bogo plugin version 3.9.1 or earlier are affected. The plugin is distributed by rocklobsterinc and is widely used in WordPress installations where private or password‑protected posts are managed through Bogo. Any site that hosts such content and has users with subscriber or higher roles is susceptible.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity vulnerability. The attack relies on the REST API, which is remotely accessible over HTTPS, and only requires authenticated access with a subscriber role or higher, a common privilege on many sites. Because the EPSS score is not available and the vulnerability is not listed in CISA KEV, current exploitation likelihood is unclear, but the ability to extract private post data presents a clear confidentiality risk to site owners.

Generated by OpenCVE AI on June 19, 2026 at 07:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Bogo plugin to the latest released version (≥3.9.2) or apply the patch from the GitHub pull request 382 that removes the authorization check for the translation endpoint.
  • If an update cannot be applied immediately, restrict access to the bogo_rest_create_post_translation endpoint by disabling it for subscriber roles or by configuring the WordPress REST API to allow only administrators to use it.
  • Review user roles on the site and remove contributors or subscribers who do not need access to private content; consider creating a custom role that limits API access further to mitigate exposure.

Generated by OpenCVE AI on June 19, 2026 at 07:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Description The Bogo plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.1 via the bogo_rest_create_post_translation. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract the raw title, content, excerpt, and password of any private, draft, or password-protected post by triggering its duplication via the translation endpoint and reading the returned title.raw, content.raw, and excerpt.raw fields of the duplicated post. This vulnerability is exploitable against posts written in a non-default locale, as authenticated subscribers can request a translation into the site's default locale to pass the locale-only permission gate. While subscribers can trigger the endpoint, this is only impactful at the Contributor-level as they can actually read the duplicated content.
Title Bogo <= 3.9.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via REST API
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-19T04:31:33.079Z

Reserved: 2026-05-19T14:25:47.426Z

Link: CVE-2026-9013

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T07:30:16Z

Weaknesses