CVE-2026-4338 PUBLISHED

ActivityPub Routing < 8.0.2 - Unauthenticated Drafts/Scheduled/Pending Posts Disclosure

Assigner: WPScan
Reserved: 17.03.2026 Published: 08.04.2026 Updated: 08.04.2026

The ActivityPub WordPress plugin before 8.0.2 does not properly filter posts to be displayed, allowed unauthenticated users to access drafts/scheduled/pending posts

Product Status

Vendor	Unknown
Product	ActivityPub
Versions	Default: unaffected affected from 0 to 8.0.2 (excl.)

Credits

ryuk (kos0ng) finder
WPScan coordinator

References

https://wpscan.com/vulnerability/50f68395-72fc-4f99-8e6d-6aa90cc640b5/

Problem Types

CWE-200 Information Exposure CWE