CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
What the vulnerability does
The WP Adminify plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.7.7 via the /wp-json/adminify/v1/get-addons-list REST API endpoint. The endpoint is registered with permission_callback set to __return_true, allowing unauthenticated attackers to retrieve the complete list of available addons, their installation status, version numbers, and download URLs.
Explanation of Vulnerability in Simple Terms
WP Adminify versions up to 4.0.7.7 expose sensitive information that can be accessed over the network without authentication. An attacker can read data that should be restricted, such as configuration details or user information. Update to a version newer than 4.0.7.7 to resolve this issue.
What an attacker can do
Read sensitive information from the plugin without logging in.
Potential impact on your site
Attackers can discover configuration details, user data, or other restricted information exposed by the plugin.
Conditions required to exploit
Network access to the WordPress site; no authentication or user interaction required.
Key dates
External resources
Related vulnerabilities
