MEDIUM 4.3

CVE-2026-9008: Page-list WordPress Plugin Missing Authorization Vulnerability

The Page-list plugin for WordPress contains an authorization flaw in its shortcode feature that allows authenticated users with contributor-level or higher permissions to view sensitive content they shouldn't be able to access. By inserting a specially crafted shortcode into a draft post and previewing it, attackers can extract titles, body text, and metadata from private or draft pages across the entire site. The vulnerability exists because the plugin doesn't verify whether the current user is permitted to view the pages being queried.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-862
Affected products
0 configuration(s)
Published / Modified
2026-06-06 / 2026-06-17

NVD description (verbatim)

The Page-list plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.2. This is due to the pagelist_unqprfx_ext_shortcode() function (the [pagelist_ext] / [pagelistext] shortcode) accepting attacker-controlled post_status, post_type, and show_meta_key attributes and passing them directly into get_pages() and get_post_meta() with no capability check verifying that the rendering user is permitted to read the matched objects. When the current post has no child pages, the shortcode re-issues the query with child_of => 0, broadening it to every page on the site matching the supplied status/type. This makes it possible for authenticated attackers, with contributor-level access and above, to disclose the titles, body content/excerpts, and arbitrary post meta of unrelated private and draft pages by inserting the shortcode into a contributor-authored draft and previewing it.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9008 is a missing authorization vulnerability in the Page-list WordPress plugin affecting all versions through 6.2. The pagelist_unqprfx_ext_shortcode() function processes the [pagelist_ext] and [pagelistext] shortcodes without capability checks on attacker-supplied post_status, post_type, and show_meta_key parameters. These parameters are passed directly to WordPress functions get_pages() and get_post_meta(). When a query returns no child pages, the function re-executes with child_of => 0, expanding the scope to all pages matching the supplied filters. This allows extraction of restricted post metadata and content from pages the requesting user should not be able to access. The vulnerability is classified as CWE-862 (Missing Authorization).

Business impact

The exposure is limited to information disclosure but affects confidential page content across WordPress sites using the plugin. Organizations that use private or draft pages to store sensitive information—such as unpublished announcements, internal policies, or confidential client work—face uncontrolled disclosure to any contributor-level user. While the vulnerability requires authentication and deliberate shortcode injection, the risk compounds in multi-author environments or those with elevated contributor access. The CVSS 3.1 score of 4.3 (Medium) reflects the authentication requirement and confidentiality impact without affecting integrity or availability.

Affected systems

All versions of the Page-list WordPress plugin up to and including version 6.2 are affected. The vulnerability targets WordPress environments with active contributor or editor accounts that have permission to draft and preview posts. Organizations using older versions or those with many unpublished pages in draft or private status face elevated risk.

Exploitability

The attack requires valid WordPress authentication (contributor level or above) and the ability to create or edit draft posts and use the preview function. No user interaction is needed beyond the attacker viewing their own preview. The attack is straightforward to execute once a user has draft access, making it a practical concern for environments with distributed authorship or external collaborators. However, the requirement for pre-existing authentication and the lack of escalation pathways limit real-world impact for most organizations.

Remediation

Update the Page-list plugin to a version that includes proper authorization checks in the pagelist_unqprfx_ext_shortcode() function. Verify against the vendor advisory for the specific patched version. Organizations unable to patch immediately should restrict contributor-level permissions to trusted users only and audit draft/private page content for unauthorized access.

Patch guidance

Check the plugin's official repository or vendor advisory for the latest version addressing this vulnerability. Apply the update through the WordPress admin dashboard under Plugins > Installed Plugins > Update, or manually replace the plugin files with the patched version. Test functionality on a staging environment before production deployment to ensure compatibility with custom page queries or extensions. Verify that the shortcode now enforces capability checks matching the current user's edit_posts or read_private_posts permissions.

Detection guidance

Monitor WordPress post revision and preview logs for suspicious shortcode usage, particularly [pagelist_ext] and [pagelistext] with unusual post_status or post_type parameters in draft posts. Audit database query logs for mismatched user permissions accessing private or draft page metadata. Review contributor and editor access logs for users creating and previewing drafts containing these shortcodes. Implement logging of post_meta queries to track extraction of restricted metadata. Check for shortcode usage in posts authored by low-privilege accounts in audit trails.

Why prioritize this

While the CVSS score is moderate, the vulnerability is relevant for organizations with sensitive unpublished content and distributed authorship. The ease of exploitation and the authenticated nature of the flaw position it as a secondary-priority concern that deserves patching in routine maintenance cycles rather than emergency response. Prioritize patching if your environment has high-risk draft or private pages containing financial data, client information, or strategic announcements.

Risk score, explained

The CVSS 3.1 score of 4.3 reflects a network-accessible vulnerability with low attack complexity and low privilege requirements (contributor level). The scope is unchanged, meaning the impact is limited to the vulnerable plugin. Confidentiality is impacted (Low) as restricted page content can be disclosed. Integrity and availability are unaffected. The authentication requirement prevents casual or unauthenticated abuse, preventing a higher severity rating.

Frequently asked questions

Does this vulnerability allow attackers to modify or delete pages?

No. CVE-2026-9008 is purely an information disclosure issue. The vulnerability allows unauthorized reading of page content and metadata but does not permit modifications, deletions, or any changes to page data or site configuration.

Can an attacker escalate privileges or gain admin access through this vulnerability?

No escalation path is documented. The vulnerability is confined to viewing restricted page content. It does not lead to privilege escalation, remote code execution, or administrative access.

What if we don't use private or draft pages?

If your WordPress site publishes all pages immediately and does not rely on private or draft status for content organization, the risk is substantially lower. However, we still recommend patching as defensive practice and to prevent accidental exposure if page workflows change.

Can we mitigate this without updating the plugin?

Partial mitigation is possible by restricting contributor-level permissions to only trusted, well-vetted users and regularly auditing draft content for shortcode abuse. However, patching is the only reliable fix. Disabling the plugin entirely eliminates the risk if its functionality is not critical.

This analysis is based on the CVE record published June 6, 2026, and modified June 17, 2026. No CVSS score, vendor patch version, or other technical detail should be assumed unless explicitly sourced from an official vendor advisory. Proof-of-concept code or weaponized tools are not provided. Organizations must independently verify patch availability and compatibility with their specific WordPress environment before deployment. SEC.co does not guarantee the accuracy or completeness of any third-party vulnerability data and recommends consulting official vendor advisories for definitive remediation steps. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).