CVE-2026-10823 in YMC Filter Plugin
Summary
by MITRE • 06/26/2026
The YMC Filter WordPress plugin before 3.11.3 does not properly authorize access to one of its REST API endpoints and does not validate a user-supplied query parameter, allowing unauthenticated attackers to retrieve the titles and content of private, draft, and other non-public posts.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/26/2026
The vulnerability in the YMC Filter WordPress plugin affects versions prior to 3.11.3 and represents a critical authorization bypass flaw that undermines the fundamental security model of WordPress content management systems. This issue stems from insufficient access control mechanisms within the plugin's REST API implementation, where specific endpoints fail to properly validate user permissions before exposing sensitive content. The flaw allows unauthenticated attackers to exploit a missing validation check on a user-supplied query parameter, effectively granting them access to private, draft, and other non-public posts that should only be visible to authorized users with appropriate privileges.
The technical nature of this vulnerability aligns with CWE-284 which addresses improper access control, specifically focusing on inadequate authorization checks within API endpoints. The flaw operates at the application layer where REST API interfaces are designed to provide programmatic access to WordPress functionality but inadvertently expose content that should remain protected. Attackers can leverage this vulnerability by crafting malicious requests to the affected REST API endpoint without requiring authentication credentials, thereby bypassing WordPress's built-in permission systems that typically restrict access to unpublished content.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with comprehensive access to sensitive content including private posts, draft articles, and other unpublished materials. This exposure can result in significant business disruption, reputational damage, and potential compliance violations depending on the nature of the disclosed content. The vulnerability affects all WordPress installations using the affected plugin version, creating a widespread risk across numerous websites that rely on the YMC Filter plugin for their functionality.
Organizations should immediately implement remediation measures including updating to version 3.11.3 or later where the authorization bypass has been addressed. Additionally, administrators should conduct comprehensive security audits of all installed plugins to identify similar vulnerabilities and ensure proper access control mechanisms are in place. The vulnerability demonstrates the importance of validating user inputs and implementing robust authentication checks for all API endpoints, particularly those that provide access to unpublished content. Security teams should also consider implementing network-level monitoring to detect suspicious API access patterns and establish proper baseline configurations that restrict unnecessary public access to WordPress REST API endpoints.
The flaw exemplifies ATT&CK technique T1213 which involves data exploitation through unauthorized access to restricted information sources, highlighting how seemingly minor authorization gaps can create significant security risks in content management systems. Organizations implementing WordPress solutions must ensure that all plugins undergo thorough security review processes and maintain up-to-date versions to prevent exploitation of known vulnerabilities. This incident underscores the necessity of proper input validation and access control implementation as fundamental security controls within web applications, particularly those handling sensitive user-generated content that should remain protected from unauthorized disclosure.