CVE-2026-9008 in Page-list Plugininfo

Summary

by MITRE • 06/06/2026

The Page-list plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.2. This is due to the pagelist_unqprfx_ext_shortcode() function (the [pagelist_ext] / [pagelistext] shortcode) accepting attacker-controlled post_status, post_type, and show_meta_key attributes and passing them directly into get_pages() and get_post_meta() with no capability check verifying that the rendering user is permitted to read the matched objects. When the current post has no child pages, the shortcode re-issues the query with child_of => 0, broadening it to every page on the site matching the supplied status/type. This makes it possible for authenticated attackers, with contributor-level access and above, to disclose the titles, body content/excerpts, and arbitrary post meta of unrelated private and draft pages by inserting the shortcode into a contributor-authored draft and previewing it.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsible

Wordfence

Reservation

05/19/2026

Disclosure

06/06/2026

Moderation

accepted

Entry

VDB-369031

CPE

ready

CWE

CWE-862 (confirmed)

CVSS

4.3 (CNA)

EPSS

0.00000

KEV

Activities

very low

Sector

Hostingprovider

Sources

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-9008
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-9008
CVE Details	https://www.cvedetails.com/cve/CVE-2026-9008/

◂ Previous Overview Next ▸

Interested in the pricing of exploits?

See the underground prices here!