CVE-2026-9013

Name of the Vulnerable Software and Affected Versions Bogo plugin for WordPress versions prior to 3.9.2

Description An issue exists where authenticated attackers with subscriber-level access and above can extract the raw title, content, excerpt, and password of private, draft, or password-protected posts. This occurs by triggering a duplication of the post via the translation endpoint 'bogo rest create post translation' and reading the returned title.raw, content.raw, and excerpt.raw fields. The issue is exploitable against posts written in a non-default locale, as subscribers can request a translation into the site's default locale to bypass the locale-only permission gate. While subscribers can trigger the endpoint, the impact is primarily at the Contributor-level, as they possess the necessary permissions to read the duplicated content.

Recommendations Update the plugin to version 3.9.2 or later. As a temporary workaround, restrict access to the 'bogo rest create post translation' endpoint for users with low-level privileges.