{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1060", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-16T19:04:24.186Z", "datePublished": "2026-01-28T14:25:11.551Z", "dateUpdated": "2026-04-08T17:03:16.014Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:03:16.014Z"}, "affected": [{"vendor": "litonice13", "product": "WP Adminify \u2013 White Label WordPress, Admin Menu Editor, Login Customizer", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.0.7.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Adminify plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.7.7 via the /wp-json/adminify/v1/get-addons-list REST API endpoint. The endpoint is registered with permission_callback set to __return_true, allowing unauthenticated attackers to retrieve the complete list of available addons, their installation status, version numbers, and download URLs."}], "title": "WP Adminify <= 4.0.7.7 - Unauthenticated Sensitive Information Exposure via 'get-addons-list' REST API", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7ecb4f95-346e-49b3-859f-44f28a72f065?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/adminify/tags/4.0.6.1/Libs/Addons.php#L54"}, {"url": "https://plugins.trac.wordpress.org/changeset/3442928/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "cweId": "CWE-200", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "yi\u011fit ibrahim sa\u011flam"}], "timeline": [{"time": "2026-01-16T19:20:40.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-27T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T14:41:44.872345Z", "id": "CVE-2026-1060", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T14:42:12.226Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1060", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T14:41:44.872345Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T14:42:00.122Z"}}], "cna": {"title": "WP Adminify <= 4.0.7.7 - Unauthenticated Sensitive Information Exposure via 'get-addons-list' REST API", "credits": [{"lang": "en", "type": "finder", "value": "yi\u011fit ibrahim sa\u011flam"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "litonice13", "product": "WP Adminify \u2013 White Label WordPress, Admin Menu Editor, Login Customizer", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.0.7.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-16T19:20:40.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-27T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7ecb4f95-346e-49b3-859f-44f28a72f065?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/adminify/tags/4.0.6.1/Libs/Addons.php#L54"}, {"url": "https://plugins.trac.wordpress.org/changeset/3442928/"}], "descriptions": [{"lang": "en", "value": "The WP Adminify plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.7.7 via the /wp-json/adminify/v1/get-addons-list REST API endpoint. The endpoint is registered with permission_callback set to __return_true, allowing unauthenticated attackers to retrieve the complete list of available addons, their installation status, version numbers, and download URLs."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:03:16.014Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1060", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:03:16.014Z", "dateReserved": "2026-01-16T19:04:24.186Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-28T14:25:11.551Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Adminify plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.7.7 via the /wp-json/adminify/v1/get-addons-list REST API endpoint. The endpoint is registered with permission_callback set to __return_true, allowing unauthenticated attackers to retrieve the complete list of available addons, their installation status, version numbers, and download URLs."}, {"lang": "es", "value": "El plugin WP Adminify para WordPress es vulnerable a la Exposici\u00f3n de Informaci\u00f3n Sensible en todas las versiones hasta, e incluyendo, la 4.0.7.7 a trav\u00e9s del endpoint de la API REST /wp-json/adminify/v1/get-addons-list. El endpoint est\u00e1 registrado con permission_callback establecido en __return_true, permitiendo a atacantes no autenticados recuperar la lista completa de addons disponibles, su estado de instalaci\u00f3n, n\u00fameros de versi\u00f3n y URLs de descarga."}], "id": "CVE-2026-1060", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-28T15:16:16.200", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/adminify/tags/4.0.6.1/Libs/Addons.php#L54"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3442928/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7ecb4f95-346e-49b3-859f-44f28a72f065?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T18:56:35.782064+00:00", "value": {"mitigation_remediation": ["Update WP Adminify to version 4.0.8 or later, which removes the insecure permission callback.", "If an immediate update is not possible, restrict access to the /wp-json/adminify/v1/get-addons-list endpoint via a firewall rule, .htaccess restriction, or a security plugin that blocks unauthenticated REST calls to that URI.", "Implement a custom permission callback or modify the plugin\u2019s code to require authentication for the REST endpoint, ensuring only authorized users can retrieve addon information."], "summary": {"action": "Immediate Patch", "impact": "Sensitive Information Exposure"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the WP Adminify plugin installed in any version up to and including 4.0.7.7. The plugin is distributed under the name \"WP Adminify \u2013 White Label WordPress, Admin Menu Editor, Login Customizer\" and is commonly used by site owners who want to customize the WordPress admin interface. Because the plugin is bundled with this name, administrators should verify the plugin version on their sites and consider any version that has not been patched to 4.0.8 or newer as vulnerable.", "description_and_impact": "The WP Adminify plugin exposes sensitive information through an unauthenticated REST API endpoint. The /wp-json/adminify/v1/get-addons-list call returns a full list of available addons, including installation status, version numbers, and download URLs. The vulnerability arises because the endpoint\u2019s permission callback is set to __return_true, meaning it bypasses any authentication checks and permits any external user to harvest plugin metadata without credentials.", "risk_and_exploitability": "This vulnerability carries a CVSS score of 5.3, indicating moderate severity. EPSS indicates a very low exploitation probability (<1%), suggesting that attackers may not aggressively target this weakness, yet the lack of authentication still allows malicious actors to enumerate plugin capabilities. The vulnerability is not currently listed in the CISA KEV catalog. Attackers could leverage the exposed information to identify potentially outdated addons, download URLs, or plan further exploitation of the WordPress environment, especially if other misconfigurations exist. No specific environmental prerequisites are mentioned, so an unauthenticated attacker with network access to the WordPress REST API can exploit it."}}}}, "created": "2026-01-29T09:17:59.625025+00:00", "updated": "2026-04-15T19:00:12.308561+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}