{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4338", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2026-03-17T14:54:23.077Z", "datePublished": "2026-04-08T06:00:08.001Z", "dateUpdated": "2026-04-08T16:06:53.365Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-08T06:00:08.001Z"}, "title": "ActivityPub Routing < 8.0.2 - Unauthenticated Drafts/Scheduled/Pending Posts Disclosure", "problemTypes": [{"descriptions": [{"description": "CWE-200 Information Exposure", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "ActivityPub", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThan": "8.0.2"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ActivityPub WordPress plugin before 8.0.2 does not properly filter posts to be displayed, allowed unauthenticated users to access drafts/scheduled/pending posts"}], "references": [{"url": "https://wpscan.com/vulnerability/50f68395-72fc-4f99-8e6d-6aa90cc640b5/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "ryuk (kos0ng)", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T16:06:38.334257Z", "id": "CVE-2026-4338", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T16:06:53.365Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-4338", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T16:06:38.334257Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T16:06:49.990Z"}}], "cna": {"title": "ActivityPub Routing < 8.0.2 - Unauthenticated Drafts/Scheduled/Pending Posts Disclosure", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "ryuk (kos0ng)"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "ActivityPub", "versions": [{"status": "affected", "version": "0", "lessThan": "8.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://wpscan.com/vulnerability/50f68395-72fc-4f99-8e6d-6aa90cc640b5/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The ActivityPub WordPress plugin before 8.0.2 does not properly filter posts to be displayed, allowed unauthenticated users to access drafts/scheduled/pending posts"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-200 Information Exposure"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-08T06:00:08.001Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4338", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:06:53.365Z", "dateReserved": "2026-03-17T14:54:23.077Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2026-04-08T06:00:08.001Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The ActivityPub WordPress plugin before 8.0.2 does not properly filter posts to be displayed, allowed unauthenticated users to access drafts/scheduled/pending posts"}], "id": "CVE-2026-4338", "lastModified": "2026-04-08T21:26:35.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T07:16:22.400", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/50f68395-72fc-4f99-8e6d-6aa90cc640b5/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Awaiting Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.0.2)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "original": {"product": "ActivityPub", "source": "cna", "vendor": "Unknown"}, "product": "activitypub", "vendor": "activitypub"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T17:51:47.747010+00:00", "value": {"mitigation_remediation": ["Upgrade the ActivityPub plugin to version 8.0.2 or later.", "If upgrading is not immediately possible, block unauthenticated access to the plugin\u2019s endpoints using server\u2011side access controls such as .htaccess rules or firewall rules.", "Verify that the plugin is no longer serving draft or pending content by attempting to access those URLs as a non\u2011authenticated user.", "Monitor the site for any attempts to access unpublished content and log such events for further investigation."], "summary": {"action": "Immediate Patch", "impact": "Information disclosure of draft, scheduled, and pending posts"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the ActivityPub plugin with versions earlier than 8.0.2 are affected. No specific vendor or sub\u2011product versions are listed beyond the version cutoff, so any installation meeting that criterion should be considered vulnerable.", "description_and_impact": "The ActivityPub plugin for WordPress does not enforce proper filtering of content before displaying posts, allowing users who are not logged in to view unpublished drafts, scheduled, and pending posts. This vulnerability results in the unauthorized exposure of confidential content, compromising the confidentiality of the data stored on the site. The weakness is a classic case of improper access control, mapped to CWE-200 and CWE-284.", "risk_and_exploitability": "The CVSS base score of 7.5 indicates high severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is unauthenticated web access; an attacker simply needs to browse to the plugin\u2019s endpoints to retrieve the exposed drafts. No additional authentication or privilege escalation is required."}}}}, "created": "2026-04-08T19:43:49.778170+00:00", "updated": "2026-04-09T08:22:21.885296+00:00", "vendors": ["activitypub", "activitypub$PRODUCT$activitypub", "wordpress", "wordpress$PRODUCT$wordpress"], "weaknesses": ["CWE-200", "CWE-284"]}