PT-2026-60398 · WordPress · List Category Posts

Niyht

·

Published

2026-07-16

·

Updated

2026-07-16

·

CVE-2026-12434

CVSS v3.1

4.3

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Name of the Vulnerable Software and Affected Versions List category posts plugin for WordPress versions prior to 0.96.0
Description Authenticated attackers with contributor-level access and above can extract sensitive data from other users' pending-review, scheduled, and trashed posts. This is achieved by embedding a crafted [catlist] shortcode in a draft and previewing it, which exploits a flaw in the sanitize status function. The exposed information includes post titles, full content, excerpts, dates, authors, and custom-field metadata.
Recommendations Update the List category posts plugin for WordPress to version 0.96.0 or later.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-12434

Affected Products

List Category Posts