CVE-2026-9013 in Bogo Plugin
Summary
by MITRE • 06/19/2026
The Bogo plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.1 via the bogo_rest_create_post_translation. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract the raw title, content, excerpt, and password of any private, draft, or password-protected post by triggering its duplication via the translation endpoint and reading the returned title.raw, content.raw, and excerpt.raw fields of the duplicated post. This vulnerability is exploitable against posts written in a non-default locale, as authenticated subscribers can request a translation into the site's default locale to pass the locale-only permission gate. While subscribers can trigger the endpoint, this is only impactful at the Contributor-level as they can actually read the duplicated content.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/19/2026
The Bogo plugin for WordPress presents a significant sensitive information exposure vulnerability that affects all versions up to and including 3.9.1. This weakness stems from improper access controls within the bogo_rest_create_post_translation endpoint, which allows authenticated attackers with subscriber-level privileges and above to extract confidential post data. The vulnerability operates through a manipulation of the plugin's translation functionality where attackers can trigger post duplication and subsequently access raw content fields that should remain protected. The exposed information includes title.raw, content.raw, and excerpt.raw fields from private, draft, or password-protected posts, creating a substantial data leakage risk for sensitive content that should only be accessible to authorized users with appropriate permissions.
The technical flaw exploits the plugin's insufficient validation of user permissions when processing translation requests. Specifically, the vulnerability enables authenticated subscribers to bypass normal content access restrictions by leveraging the translation endpoint to duplicate posts written in non-default locales. Through this mechanism, attackers can request translations into the site's default locale, effectively circumventing the locale-specific permission checks that should normally protect content. This design oversight creates a path where users with minimal privileges can access content that would otherwise be restricted to higher-level users. The vulnerability is particularly concerning because it operates through legitimate plugin functionality rather than exploiting a direct code execution flaw, making it more difficult to detect and prevent through standard security measures.
The operational impact of this vulnerability extends beyond simple information disclosure, as it enables unauthorized access to potentially sensitive content that may include proprietary information, unpublished articles, or confidential communications. Attackers at the contributor level can actually read and extract the duplicated content, which represents a significant escalation of privileges within the WordPress ecosystem. This vulnerability affects not just individual posts but entire content repositories that rely on the Bogo plugin for multilingual functionality, potentially exposing large volumes of unpublished content across multiple locales. The attack vector is particularly insidious because it leverages existing plugin features rather than requiring complex exploitation techniques, making it accessible to attackers with basic WordPress knowledge and subscriber-level accounts.
Security mitigations for this vulnerability should focus on immediate patching of the Bogo plugin to version 3.9.2 or later, which contains the necessary access control fixes. Administrators should also implement additional monitoring of REST API endpoints to detect unusual translation requests, particularly those targeting posts in non-default locales. The vulnerability aligns with CWE-200 (Information Exposure) and CWE-284 (Improper Access Control) categories, and represents a clear violation of the principle of least privilege. From an ATT&CK framework perspective, this vulnerability maps to T1213.002 (Data from Information Repositories) and T1078 (Valid Accounts) as it exploits legitimate user accounts to access restricted information. Organizations should also consider implementing role-based access controls within WordPress to further limit translation capabilities and monitor for unauthorized content duplication attempts. Additionally, regular security audits of WordPress plugins should include assessment of REST API endpoints for proper access control validation to prevent similar vulnerabilities in other third-party components.