CVE-2026-9008 MEDIUM

CVE-2026-9008: Page-list <= 6.2 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Disclosure via Shortcode Attributes

Vendor Webvitaly
Product Page-list
Weakness CWE-862 · Missing authorization
Published June 6, 2026
Last update June 6, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The Page-list plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.2. This is due to the pagelist_unqprfx_ext_shortcode() function (the [pagelist_ext] / [pagelistext] shortcode) accepting attacker-controlled post_status, post_type, and show_meta_key attributes and passing them directly into get_pages() and get_post_meta() with no capability check verifying that the rendering user is permitted to read the matched objects. When the current post has no child pages, the shortcode re-issues the query with child_of => 0, broadening it to every page on the site matching the supplied status/type. This makes it possible for authenticated attackers, with contributor-level access and above, to disclose the titles, body content/excerpts, and arbitrary post meta of unrelated private and draft pages by inserting the shortcode into a contributor-authored draft and previewing it.

Explanation of Vulnerability in Simple Terms

02Summary

Page-list versions 6.2 and earlier do not properly check user permissions before allowing access to certain functionality. A logged-in user with low privileges can read data they should not have access to. Update to version 6.3 or later to fix this issue.

What an attacker can do

03Attacker Capabilities

Read sensitive data they should not have permission to access.

Potential impact on your site

04Site Impact

Unauthorized users can view restricted information if they have any account on your site.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site.

Key dates

06Disclosure timeline

June 6, 2026 CVE published
June 6, 2026 Record updated

Related vulnerabilities

08Related CVE