{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4338", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2026-03-17T14:54:23.077Z", "datePublished": "2026-04-08T06:00:08.001Z", "dateUpdated": "2026-04-08T16:06:53.365Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-08T06:00:08.001Z"}, "title": "ActivityPub Routing < 8.0.2 - Unauthenticated Drafts/Scheduled/Pending Posts Disclosure", "problemTypes": [{"descriptions": [{"description": "CWE-200 Information Exposure", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "ActivityPub", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThan": "8.0.2"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ActivityPub WordPress plugin before 8.0.2 does not properly filter posts to be displayed, allowed unauthenticated users to access drafts/scheduled/pending posts"}], "references": [{"url": "https://wpscan.com/vulnerability/50f68395-72fc-4f99-8e6d-6aa90cc640b5/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "ryuk (kos0ng)", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T16:06:38.334257Z", "id": "CVE-2026-4338", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T16:06:53.365Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-4338", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T16:06:38.334257Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T16:06:49.990Z"}}], "cna": {"title": "ActivityPub Routing < 8.0.2 - Unauthenticated Drafts/Scheduled/Pending Posts Disclosure", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "ryuk (kos0ng)"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "ActivityPub", "versions": [{"status": "affected", "version": "0", "lessThan": "8.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://wpscan.com/vulnerability/50f68395-72fc-4f99-8e6d-6aa90cc640b5/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The ActivityPub WordPress plugin before 8.0.2 does not properly filter posts to be displayed, allowed unauthenticated users to access drafts/scheduled/pending posts"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-200 Information Exposure"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-04-08T06:00:08.001Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4338", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:06:53.365Z", "dateReserved": "2026-03-17T14:54:23.077Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2026-04-08T06:00:08.001Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:automattic:activitypub:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "DAE437C7-2591-4773-8749-33B18122E30C", "versionEndExcluding": "8.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The ActivityPub WordPress plugin before 8.0.2 does not properly filter posts to be displayed, allowed unauthenticated users to access drafts/scheduled/pending posts"}], "id": "CVE-2026-4338", "lastModified": "2026-04-14T16:23:09.433", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T07:16:22.400", "references": [{"source": "contact@wpscan.com", "tags": ["Third Party Advisory"], "url": "https://wpscan.com/vulnerability/50f68395-72fc-4f99-8e6d-6aa90cc640b5/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.0.2)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "original": {"product": "ActivityPub", "source": "cna", "vendor": "Unknown"}, "product": "activitypub", "vendor": "activitypub"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T02:39:40.235280+00:00", "value": {"mitigation_remediation": ["Update the ActivityPub WordPress plugin to version 8.0.2 or newer.", "If an upgrade cannot be performed immediately, disable or delete the ActivityPub plugin until a patch is available.", "As a temporary measure, restrict access to the plugin\u2019s routing endpoints to authenticated users by configuring WordPress or web server access controls, or by adding an authentication check through a WordPress hook."], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated disclosure of private WordPress content"}, "threat_synthesis": {"affected_systems": "This vulnerability impacts the ActivityPub plugin for WordPress distributed by Automattic, installed on any WordPress site using a version earlier than 8.0.2. The affected environment includes WordPress installations that rely on the plugin for activity feed and routing operations.", "description_and_impact": "The ActivityPub WordPress plugin by Automattic incorrectly routes content, allowing unauthenticated visitors to view posts marked as draft, scheduled or pending. This flaw results in the disclosure of unpublished content without credentials, violating confidentiality of private WordPress posts. The plugin\u2019s lack of proper authentication checks during route handling is the root cause.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity for this information disclosure flaw. The EPSS score is below 1%, suggesting a low likelihood of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires only an unauthenticated web request to the plugin\u2019s routing endpoints, meaning any Internet\u2011connected user who can reach the WordPress instance can trigger the disclosure. No additional authentication or privilege escalation is necessary. The likely attack vector is unauthenticated HTTP requests directed to the plugin\u2019s routes, which can be accessed through a browser or automated script over the network."}}}}, "created": "2026-04-08T19:43:49.778170+00:00", "updated": "2026-04-16T02:45:06.085070+00:00", "vendors": ["activitypub", "activitypub$PRODUCT$activitypub", "wordpress", "wordpress$PRODUCT$wordpress"], "weaknesses": ["CWE-200", "CWE-285"]}